Certifications to take for a new IT auditor with no IT background

I'm blessed with this opportunity to join a firm as a junior IT audit & risk personnel soon.

I'm from an Accounting & Finance background and do not have any prior IT related education.

I understand that there tonnes of certifications which will be of great benefit for me, but I'd like to know which is the most relevant certification that I can prioritize to give me the relevant knowledge to kick start my career in this field.

My own research says CISA, but I'd like to know your opinions too.

What other practical knowledge or projects that a beginner like me can attempt?

Many thanks!

Find more posts tagged with

Comments

Ertaz

feydrax wrote: »

I'm blessed with this opportunity to join a firm as a junior IT audit & risk personnel soon.

I'm from an Accounting & Finance background and do not have any prior IT related education.

I understand that there tonnes of certifications which will be of great benefit for me, but I'd like to know which is the most relevant certification that I can prioritize to give me the relevant knowledge to kick start my career in this field.

My own research says CISA, but I'd like to know your opinions too.

What other practical knowledge or projects that a beginner like me can attempt?

Many thanks!

Security+ would be a good technical starter imo. Then on to CISA.

TheFORCE

feydrax wrote: »

I'm blessed with this opportunity to join a firm as a junior IT audit & risk personnel soon.

I'm from an Accounting & Finance background and do not have any prior IT related education.

I understand that there tonnes of certifications which will be of great benefit for me, but I'd like to know which is the most relevant certification that I can prioritize to give me the relevant knowledge to kick start my career in this field.

My own research says CISA, but I'd like to know your opinions too.

What other practical knowledge or projects that a beginner like me can attempt?

Many thanks!

Your research is correct, you can take the CISA but you will not be granted the certification. As per the the ISACA website, you need a minium of 5 years experience on the job on the below areas. With that said, you can go for the Security+, it will help you more because it is a bit more technical and will be a good foundation for the CISA.

How to Become CISA Certified

Job Practice Areas 2016

feydrax

Thanks for the recommendation! It seems like Security+ can be something for me to look into for now.

Applying that to my current situation, should I focus more on theoretical concepts first or technical knowledge to make myself useful as early as possible?

verdigris

In terms of practical knowledge to start out, https://itauditsecurity.wordpress.com/2011/09/16/auditors-know/ is a good list of basic items that you will want to understand.

I would definitely focus your efforts on the "IT" part as the "auditor" part you'll get pretty quickly on the job. I've been an IT Auditor for four years, and my certification path has been Security+ > CIA > CISA > CISSP. I would definitely recommend this path with the possible exception of the CIA as there will be some overlap with your accounting background, and probably unnecessary if you have a CPA.

PJ_Sneakers

Since you have no IT background at all and you are actually walking into a position, I would glance over CompTIA A+ to get acclimated, and then look into CompTIA Network+ to get familiar with how networking works because networking is really the backbone of IT. It doesn't matter if it's an iPad, a Windows PC, a Xerox multifunction printer/copier, or a Mac Pro, they all have to connect to a network to be useful to an enterprise.

You probably don't have to dive in so deep that you get Network+ certified, but the knowledge will help you with Security+ because it will test your understanding of how computers communicate (such as routing through a network to a firewall and out to the Internet). I would look at getting Security+ certified, especially since you don't have the CISA prerequisites yet. Security+ is actually pretty good stuff; I think it should be mandatory for IT staff but that's just me.

soccarplayer29

Echoing what others have said: Security+ is a great foundation and should give you a lot of good information to use in your daily duties.

CISA can be done a little later; I found that having IT auditing experience definitely helps prepare you for the CISA and by the time you get 1+ years of experience in IT audit your firm will likely start angling your progression goals towards CISA but is not something you need to have with 0 years of experience--I think the sec+ will help connect a lot of the terminology and general practices together that you can use right away.

Raystafarian

You have no experience in IT, but how much experience do you have in audit?

feydrax

I have 2 years in auditing, but it's more inclined towards financial audits, and less on operational audits. I do have a CPA though.

beads

Not so much a certification but I highly recommend looking into The Great Courses: Argumentation. First. Its a course I think everyone should take, particularly auditors as your going to become tired of people basically lying to you. This will help you sift through some of the social garbage people will tell you in the course of gathering evidence. Every administrator believes their own garbage about "telling the auditor what they want to know..." So learning how people set up arguments both good and bad will help you throughout your career.

Coursera may have some other smaller courses and certifications related to your audit career that also may be of interest if it relates to whom your auditing. Later on these two companies make submitting CPEs and CEUs a breeze - particularly for non direct requirements like the CISSP. Argumentation alone satisfies three years of requirements in one course.

Check out Cybrary and YouTube for more courseware that may or may not be related to audit.

Look beyond just certs there is a ton of free courseware out there for you to improve your career.

Audit is by far the best place to start an InfoSec career, by the way.

- b/eads

Remedymp

A bachelor's or master's degree from a university that enforces the ISACA-sponsored Model Curricula can be substituted for 1 year of experience. To view a list of these schools, please visit www.isaca.org/modeluniversities. This option cannot be used if 3 years of experience substitution and educational waiver have already been claimed.

If you have a bachelors, plus the experience should allow you to sit for it.

DatabaseHead

CISA seems to make sense.

beads

@Remedymp

Feydrax is indicating that he's a fresher and about to start his audit career so shockingly he's trying to do things right. He has not IT audit background but a CPA. Good news is InfoSec and audit in particular is largely based on IACPA financial controls back in the mid 1960s.

Yes, back before 2000 IT security, if it existed, worked for a CPA and likely the CFO - not IT, MIS or DP.

- b/eads

feydrax

beads wrote: »

@Remedymp

Feydrax is indicating that he's a fresher and about to start his audit career so shockingly he's trying to do things right. He has not IT audit background but a CPA. Good news is InfoSec and audit in particular is largely based on IACPA financial controls back in the mid 1960s.

Yes, back before 2000 IT security, if it existed, worked for a CPA and likely the CFO - not IT, MIS or DP.

- b/eads

@beads

Interestingly I find your answer to be the most relevant to me!

TBH I'm not in a particular rush to acquire any certification, as the firm will be funding me on the relevant certifications.

The recommendations in favor of Security+ have been helpful, and I've just read through the index of the syllabus, it certainly looks like a good introductory material for someone like me.

I'm looking for avenues to gain the relevant knowledge make myself relevant to the job scope, and I find your answer to be very practical and suitable for me!

If financial controls are still relevant, I guess that gives me some level of comfort. At least I have something to offer.

P/S : the word "shockingly" gave me a chuckle, I've been trying to make this jump to IT audit for a while, from Financial Audit > Finance Analyst > Finance Application Support > IT audit. I was actually expecting to spend some time in the support role and do some self study, but this firm is actually willing to invest in me for the IT audit role. That's why I'm totally caught by surprise.

feydrax

Quick update

I actually went ahead and took CISA, and I passed!!! However, passing CISA doesn't really give me that much of a confidence

I guess the lacking in technical is still a problem for me

??:

adrenaline19

Sec+ is a good certificate and a good start to the process. I'd also recommend setting up a test environment at home and just playing around in it. Test things out, play around, see what happens when you type random **** onto a command line. Figuring out how to fix stuff you broke is the best learning experience possible.

Once you get started, you'll figure out what you want to learn next.