In this slidecast, Michael Lin provides an overview on the role of information systems (IS) audits, available IS audit-related designations, and the benefits of attaining or hiring individuals with these designations. He also attempts to provide some guidelines on how an IS audit professional should pursue such designations.
2. Information System (IS) Audit... Profession traditionally concerned with audit Increased complexity in IS ingrained in business processes Old requirements + New complexity = Need for new expertise
3. ...-Related Designations Expertise: Specialists? Standardization? In response, professional associations created IS audit-related designations
4. Overview Role of IS Audits Overview of IS Audit-Related Designations Benefits of Certification – For the Professional Benefits of Certification – For the Organization Guidelines for the Pursuit of IS Audit-Related Designations
5. Role of IS Audits Need to understand role of IS audits in today’s business environment Role relates to efficiently and effectively conducting audits in the context of complex IS Some audit types where IS audit is employed: Audit of Financial Statements Section 5970 Audits Trust Services Internal Audit
6. Role of IS Audits (Cont’d) Audit of Financial Statements IS traditionally used to record, process, and summarize transactions for financial statement generation IS increasingly used for other critical business processes in an integrated manner Section 5970 Audits IS utilized for service delivery IS includes many embedded controls
7. Role of IS Audits (Cont’d) Trust Services Security, availability, processing integrity, confidentiality, and privacy IS clearly important Internal Audit Not external reporting, delivers value in various ways IS may be extensively utilized in business processes i.e. Both internal and external audit may involve IS audit
8. Overview of IS Audit-Related Designations Extensive number of relevant designations, with some very specialized differences To examine: Major designations in discipline Some classifications of other related designations
9. Certified Information Systems Auditor (CISA) Single most relevant designation for IS audit Flagship designation for ISACA (actual name), with over more than 85,000 professionals in nearly 160 countries “...for those who audit, control, monitor and assess an organization’s IT and business systems”
10. CISA (Cont’d) Five job practice domains Domain 1—The Process of Auditing Information Systems (14%) Domain 2—Governance and Management of IT (14%) Domain 3—Information Systems Acquisition, Development and Implementation (19%) Domain 4—Information Systems Operations, Maintenance and Support (23%) Domain 5—Protection of Information Assets (30%)
11. Certified Information Security Manager (CISM) Second most popular designation offered by ISACA with 16,000 professionals “...for individuals who design, build and manage enterprise information security programs”, with a high-level management focus
12. CISM (Cont’d) Five job practice domains Domain 1—Information Security Governance (23%) Domain 2—Information Risk Management (22%) Domain 3—Information Security Program Development (17%) Domain 4—Information Security Program Management (24%) Domain 5—Incident Management & Response (14%)
13. Certified Information Systems Security Professional (CISSP) Offered by the International Information Systems Security Certification Consortium (ISC)2 For “professionals who develop policies and procedures in information security” Offers concentrations in Architecture, Engineering, and Management
14. CISSP (Cont’d) Ten domains of knowledge: Access Control Application Development Security Business Continuity and Disaster Recovery Planning Cryptography Information Security Governance and Risk Management Legal, Regulations, Investigations and Compliance Operations Security Physical (Environmental) Security Security Architecture and Design Telecommunications and Network Security
15. Other Designations – IS and IT Designations in IS and IT generally (i.e. not necessarily directly related to audit) Benefits IS audit professionals through provision of general background knowledge or specific area expertise Three potential categories: General focus, e.g. I.S.P. Specific organizational focus, e.g. CGEIT, CAP Specific technical focus, e.g. C|EH, CSFA, GCIH
16. Other Designations - Accounting Designations in accounting related to audit (i.e. non-technical) Benefits IS professionals through audit-related expertise In Canada: CA CMA CGA CIA
17. Benefits of Certification – For the Professional Up to professional to pursue and attain designations Professional associations offering certifications have very positive view: Improved career prospects Demonstrate working knowledge and commitment Career differentiator, marketability Access to resources, such as networking
18. Benefits of Certification – For the Professional (Cont’d) Another view: Certifications still good way to show interest or seriousness about career But, in many cases: Need certifications to keep jobs Competing individuals in job market have same certifications Need certifications just to get past resume search engines No long a source of competitive advantage
19. Benefits of Certification – For the Organization Organizations can influence professional pursuit of certifications through hiring, retention, and promotion policies Professional associations’ positive view: Benefits to professionals extended to employers Establish standard of best practices Enable a broader perspective, including both business and technology
20. Benefits of Certification – For the Organization (Cont’d) The literature agrees IS professionals help align IT with business priorities IT audits generate value for companies through third-party regular evaluation of information security policies and architecture Benefits apply to external as well as internal audit External auditors: fees and costs Internal and external IS audit are related
21. Guidelines for the Pursuit of IS Audit-Related Designations IS audit-related designations provide clear benefits, but has costs Financial costs, i.e. Fees and materials Non-financial costs, i.e. Time and dedication Too many designations may even cause employers to find the resume unattractive Should not pursue as many designations as possible Return on investment
22. Guidelines ... (Cont’d) Long-term approach Make a career plan and map in certifications, time, and effort Some specific considerations General vs. specialized designations IT or accounting designations
23. Concluding Remarks – Key Takeaways Continuing trend in IS IS audit-related designations: are relevant and add value, but becoming necessity rather than advantage Professionals need to take long-term career plan-based approach