What does a CISA do?

What Does a Certified Information Systems Auditor (CISA) Do?

What Does a Certified Information Systems Auditor (CISA) Do? 864 486 CyberVista now N2K

In today’s environment, information has become the most valuable organizational asset. Information systems professionals must leverage the value of data and assure the security and integrity of data that drives business. The Certified Information System Auditor (CISA) certification is recognized the world over as proof of competency and experience in securing critical business assets and ensuring that these assets are available.

The CISA certification is a globally recognized certification for IS audit control, assurance, and security professionals. According to the Information Systems Audit and Control Association (ISACA), this certification showcases an individual’s audit experience, skills, and knowledge, and demonstrates the capability to assess vulnerabilities, report on compliance, and institute controls within the enterprise.

The CISA exam covers the following five domains:

  • Auditing Information Systems

  • Governance and Management of IT

  • Information Systems Acquisition, Development, and Implementation

  • Information Systems Operations, Maintenance, and Service Management

  • Protection of Information Assets

Candidates taking the CISA exam will be expected to demonstrate proficiency in these five areas by taking the 150-question exam.

As the name implies, an IS system auditor will be responsible for the auditing functions within an organization. This includes:

  • Executing a risk-based IS audit strategy

  • Planning audits to determine if assets are protected, controlled, and provide value

  • Conducting audits according to standards and audit objectives

  • Communicating audit results and making recommendations to management

  • Conducting audit follow-up to determine if recommended actions have been taken by management

In addition to regular auditing duties, an IS system auditor must work with management to ensure that organizational processes support the organization’s strategies and objectives. This includes evaluating:

  • The IT strategy for alignment

  • The effectiveness of the IT governance structure

  • IT organizational structure and personnel management

  • Organizational IT policies, standards, procedures, and processes

  • IT resource management

  • IT portfolio management

  • Risk management practices

  • IT management and monitoring of controls

An IS system auditor must work with management to ensure that the acquisition, development, testing, and implementation of information systems meet the organization’s strategies and objectives. This includes:

  • Evaluating the business case for proposed information systems

  • Evaluating IT supplier selection and contract management processes

  • Evaluating the project management framework and controls

  • Conducting project reviews

  • Evaluating controls for information systems

  • Evaluating the readiness of information systems

  • Conducting post-implementation reviews

Once systems are implemented, an IS system auditor must work with management to ensure the operations, maintenance, and service management of information systems meet the organization’s strategies and objectives. This includes:

  • Evaluating the IT service management framework and practices

  • Conducting periodic reviews of information systems

  • Evaluating IT operations

  • Evaluating IT maintenance

  • Evaluating database management practices

  • Evaluating data quality and life cycle management

  • Evaluating problems and incident management practices

  • Evaluating change and release management practices

  • Evaluating end-user computing

  • Evaluating IT continuity and resilience

Finally, an IS system auditor must work with management to ensure that the organization’s security policies, standards, procedures, and controls provide confidentiality, integrity, and availability of information assets. This includes evaluating:

  • The information security and privacy policies, standards, and procedures for completion and alignment

  • The design, implementation, maintenance, monitoring, and reporting of:

    • physical and environmental controls

    • systems and logical security controls

    • data classification processes and procedures

  • The processes and procedures used to store, retrieve, transport, and dispose of assets

  • The information security program

According to ISACA, hiring managers look for the CISA certification, and some business and governmental agency roles require it. Financial institutions, healthcare organizations, colleges and universities, and certifying bodies often seek individuals with the CISA certification. Specific organizations include Ernst and Young, Financial Industry Regulatory Authority (FINRA), Nintendo of America, The Institute of Internal Auditors, Sempra Energy, and Freddie Mac.

If you’re interested in learning more about the CISA certification, visit the ISACA website for more information.

Posted by: Robin Abernathy