Should non-auditors become Certified Information Systems Auditors (CISA)? Being a CISA can change your approach to work, not only helping your career but also your enterprise. Here’s why: To ensure internal and external stakeholder satisfaction and thereby contribute value to the business, IT plays a vital role in realizing business benefits, where the proper competencies of IT staff is critical to delivering business tasks.

CISA is the most popular ISACA certification. The demand for CISA certification early on was primarily by international auditing companies (e.g., the Big 4), since certification was required to conduct audits according to international standards. But now, information and technology are such vital elements of enterprises, as is the understanding of the dynamic challenges in the current environment. That means that the important benefits that CISA certification brings continue to be applicable to the business world.

But What If You Are Not an Auditor? Do You Still Need CISA Certification?

CISA certification allows you to change your approach to work because the preparation and requirements of the certification require you to change your way of thinking. It allows you to focus on business objectives and avoid process-focusing in doing any operational task. The most common question you will ask yourself is “What is the value to the business from a certain activity?” This way of thinking leads to timely identification of risk and thereby helps manage risk effectively.

A CISA professional understands modern technology and requirements in controlled environments; therefore, having a CISA-certified person in their IT group allows enterprises to promote a risk and security culture.

CISA Benefits Individuals and Enterprises

The case in favor of CISA certification and CISA professionals is best represented in the IT assurance function. That is because having CISA-certified professionals allows an organization to clearly understand external audit requirements, since CISAs speak the same language. This also helps the enterprise effectively manage and coordinate external audit activities.

Once findings and actions are assigned by a CISA professional, the assigned actions can be closed in an effective way that eliminates root causes and thereby improves existing processes and meets IT/business objectives.

Finally, the most important point centers around conducting assurance activities. Once the governance of enterprise IT (GEIT) framework is established and formalized, the question is: How should the enterprise go about monitoring and controlling assigned activities and adopting best practices, e.g., COBIT 5? For sure, it’s assurance events.

In my opinion, assurance events are best conducted by CISAs, since they easily understand and are able to implement and adopt COBIT and other GEIT frameworks. It is one of the many reasons why CISA certification not only benefits the certificate holder’s career, but also the enterprise that they work for.

(About the author: Dana Kasymova is an ICT risk and assurance advisor with the North Caspian Operating Company, and a member of the ISACA. This post originally appeared on her ISACA blog, which can be viewed here)

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access