3 Reasons Why the CISA Certification Does Not Make You an IT Auditor


You read the title right and I’m sorry to burst your bubble. You cannot become an IT Auditor simply by getting the CISA certification.

I have seen so many people try to start careers in IT Audit by getting the CISA certification. Unfortunately, that is not the right approach to starting a successful career as an IT Auditor.

If you don’t know what the CISA Certification is, you can read THIS POST that provides a good level of detail on the certification.

To summarize that post, CISA stands for Certified Information Systems Auditor. Obtaining the CISA certification requires you to first pass the CISA exam. Then you apply for the actual certification after you’ve gained at least 5 years of work experience in IT Auditing, controls, or security.

This certification path is unique because it allows you to take the exam before you have the experience required to get the certification. Many other certifications require you to have the experience first before taking the exam,

Now that you have the general idea about the CISA certification, let me go into the reasons why simply having the certification does not make you an IT Auditor.

Let me start first by saying that I am not knocking the CISA certification.

In fact, CISA was the very first certification I got in my IT career. I took the exam after working in IT Audit for about a year and passed it on my first try.

You can check out this post on tips to pass certification exams the first time.

So, don’t get me wrong and think I’m saying the CISA is not valuable.

In actual fact, it is a very valuable certification for IT Auditors that want to start or progress their careers. Most IT Auditor job postings require CISA certifications. So, if you have CISA on your resume, you should at least get through the first resume review stage for IT Audit jobs.

However, if you want to be a good IT Auditor, the CISA is simply not enough.

Pass Certification Exams

Reason #1: The exam is only about general understanding of concepts

The CISA exam is not a test of your abilities as an IT Auditor. Passing the CISA exam simply means you understand auditing, controls, and security concepts.

Think about this.

Does passing the written part of the driving test make you a driver? No.

So, passing the CISA exam does not make you an auditor.

Let’s keep going with the driving example.

In the US, you don’t get a driver’s license after passing the written exam. To my knowledge, that only qualifies you to have a learning permit. This learning permit requires you to drive with another experienced driver in the car until you pass the driving test.

This is similar to the CISA exam. Passing the exam without prior IT Audit experience means you should now get some practice with a mentor to guide you along the way. The mentor can be other people at your job or other experienced IT Auditors. After you then get the right amount of experience, you can consider yourself a true IT Auditor.


Reason #2: Work experience requirements are not limited to IT Audit

Ok, so what if you already passed the exam AND got the CISA certification based on 5 years of experience.

That’s great! But it may still not make you an IT Auditor (or at least an experienced one).

The experience required to obtain the CISA by ISACA can either be in IT auditing, control, or security work.

So, if you have only security experience, you can still get the CISA certification. And, that does not make you an IT Auditor.

In addition, up to 3 years of the work experience can be substituted based on whether the applicant has a college degree.

If the applicant has a 2-year college degree, it can count for one year of experience.

If the applicant has a 4-year college degree, it can count for two years of experience.

If the applicant has a master’s degree in IS/IT, it can count for one additional year of experience.

In my case, I had a 4-year college degree and a master’s in an IT field, so I was able to substitute 3 years of experience. This means I only needed 2 years of experience in IT auditing, controls, or security to get the certification.

So, this means that someone with only 2 years of security experience can pass the CISA exam and obtain the CISA certification. They may have the CISA certification, but they are not IT Auditors.

Reason #3: IT Auditing requires hands-on experience

Finally, being an IT Auditor requires proper hands-on experience and mentoring.

I started my career in one of the Big4 firms and even after intensive training (like this one I offer), they always send out new IT Auditors with experienced IT Auditors.

As a new associate, you would be paired with a senior associate to work with you on your audit engagement. Then as you gain experience, you could then be sent out solo for small engagements.

In order to learn IT Auditing, you have to learn it in the field. Simple.

The more IT Audits you perform, the better you become.

The more closely you work with mentors, the more insights you gain into how to audit properly.

In fact, my personal philosophy is that you become a better IT Auditor when you move from knowing ‘what’ to audit to understanding ‘why’ you audit.

Understanding the ‘why’ comes from completing many IT audits and working with a mentor that can teach you.

To summarize, you become an IT Auditor by learning from doing.


Becoming an IT Auditor

So, what should you do to become an IT Auditor?

Don’t be discouraged by the reasons above. I did not write this post to discourage anyone that started studying for the CISA to become an IT Auditor.

In fact, the opposite is true.

This post is to encourage people that either have or are working towards the CISA certification to get IT Audit training and experience. Hands-on training and experience are essential to becoming a good IT auditor.

Here are some things to consider on your journey to become an IT Auditor.

  • Take time to understand IT Audit and Controls concepts as well as IT security principles. Knowing the basics will help you tremendously. You can take this FREE training for an introduction to IT Audit and Controls.
  • When performing audits, trust but verify ALWAYS (A true IT Auditor is always skeptical)
  • Learn as much as possible about each technology you audit to increase your effectiveness
  • Improve your data analysis skills (Excel, ACL) to improve your efficiency and effectiveness on audits
  • Work with a mentor (either on your job or an experienced person you know) to understand why items are being tested/audited
  • Network with other IT Auditors so you have people to review challenges and ideas with (You can join the IT Audit Fundamentals Facebook group)

IT Audit Training Courses

If you want courses that teaches about IT Audits using a practical, hands-on approach, then check out these courses that I offer.


 There you have it. 3 reasons why having the CISA certification does not make you an IT Auditor. Do you have the CISA, or are you considering getting the certification? If you plan to take the CISA certification, how do you plan to gain experience to become a good IT Auditor.

You can also check out these other related posts.

Share with friends!