636-555-3226 wrote: » You can say you passed it, and have the print-out from the site (or the letter) saying you passed it, but what's the point? If I'm hiring an internal auditor or a consulting-company auditor, I want someone experienced in auditing IT systems. Someone who passed the test, but doesn't have any experience, isn't really what I want to pay for. I know it isn't great news, but that's my own personal opinion. Real-world experience/skills trumps a guy who can study for & pass a test any day.
1Sep1969 wrote: » I'm a graduate student trying to get in the field of IT auditing. I passed the CISA exam to set myself apart from other candidates. Audit firms are probably what I should aim for, but I've heard that some companies do hire graduates without experience. If all you're going to do is hire experienced auditors, how are the inexperienced ones going to get hired and move forward? From what I understand, there's a shortage, too. We're probably more eager to learn and prove ourselves than the experienced ones. And also bring fresh ideas.
jcundiff wrote: » IT Audit is not an entry-level gig, hate to break that to you... you need to have experience on and understand how IT systems should operate and how to properly secure them. Thats not stuff that you are going to pick up from a book or class. Find you a job in IT and work toward moving into audit. I had been in IT for 15 years before I started doing audits ( dont think you need that much experience, but at least 3-5 years). As 636-555-3226 said experience trumps passing an exam... I would hire an experienced auditor, with even just a couple of years experience than some one who just passed a test... there is a reason that these certs have an experience requirement to obtain the cert in addition to passing the exam
1Sep1969 wrote: » You probably know better than I do, but before I took the exam, I was told that I can't pass it without work experience. Not true (in my case). IT audit not entry level? Graduates get hired by audit firms. The IT auditors I met at audit firms were from accounting background and hardly tech savvy (much less than me), although I know they are more accounting focused. I know one graduate who passed the exam and got hired by an audit firm mainly because he had passed the exam. Two students were hired from my professor's class by a company and trained as IT auditors (because there's a shortage).
xxxkaliboyxxx wrote: » Just to throw in there, accountants have audit experience, just saying.
1Sep1969 wrote: » The letter shows the results instead of just stating pass. I did not barely pass, but wouldn't be better if it doesn't show the numbers (though it's not like the numbers mean anything, since it's not percentage based)?
1Sep1969 wrote: » No experience is required to get hired by Risk Assurance. The accountants probably learned auditing in school, whereas IS graduates don't, but I'm not sure how much experience they had in auditing before they moved to Risk Assurance (as I said, some get hired straight from school).
jcundiff wrote: » So you are able to identify risks, develop mitigation plans and controls to reduce to an acceptable level per the client company's risk appetite, document everything in the risk register you developed, and determine correct schedule of review and approvals without experience? Accounting/Financial auditing is significantly different than IT audits... sure there is some process overlap but there are huge differences. I preformed audits (Security Risk assessments) on our vendors for several years ( onshore and offshore [meaning I was boots on the ground in India for 4-6 weeks at a time a couple times a year]) you know why I was assigned this ? Because I had experience ... I will say again, I (most IT/IS hiring managers as well) will hire someone with no degree and no certs with 1-2 years boots on the ground experience before someone with a degree and passed a certification exam but has zero experience... your mileage may vary...
jcundiff wrote: » Make a copy and block the scores out with a sharpie and make more copies to attach with your resume, if you do not want potential employers knowing your score... but be prepared should you get an interview to discuss why you redacted them.
636-555-3226 wrote: » I have to admit, my infosec dept is audited every year by the big box global auditing firms (you'd know their names), and we always get some fresh newbie out of school who asks a few questions from a questionnaire, but you can tell he has no idea what he's doing. Literally every year it's just "show me a screenshot of your AD enterprise & domain admins from the MMC snap-in, show me your password reqts GPO, and show me a backup log indicating you're backing things up every 24 hours. as long as the number of EAs & DAs doesn't go up, our password reqts are complex + 8 chars, and our text logfiles indicate a backup occurred (successful or not...) in the last 24 hours, we pass with a green "Low Risk" rating (HA!). in talking with the people every year (it's always a new newbie), none of them have any idea what a domain admin is or does, and none of them have any idea that an 8 character AD password, complex or not, is absolute rubbish. In other words, there's hopes for newbies everywhere, just don't expect a lack of experience or understanding of the material (which comes with that experience) to actually let you help your auditees very much. you'll get the job and the paycheck, but what kind of actual value will you provide other than that compliance checkbox most companies need?
feydrax wrote: » Well, I have a similar question but on a different context. Is the results slip that is available on ISACA website the only proof that I have passed my examination? My employer wants to know if ISACA issues any official hardcopy certificate or result slip to show that I have passed the exam.
636-555-3226 wrote: » .......... in talking with the people every year (it's always a new newbie), none of them have any idea what a domain admin is or does, and none of them have any idea that an 8 character AD password, complex or not, is absolute rubbish. ......... you'll get the job and the paycheck, but what kind of actual value will you provide other than that compliance checkbox most companies need?
cfirsten wrote: » I can tell you that for me, when I took it on paper, they sent me a letter with the same results that can be seen on the website. Don't know if they will issue one since they've moved to the CBT, however they did send me an email with the results. I don't know why you couldn't use that email and print it out.
1Sep1969 wrote: » Again, everyone says something different. Had I not taken the CISA exam, you would have told me that I can't get a passing score without work experience. Well, I proved everyone wrong. I guess they should be training those newbie auditors? Well, I don't know. We'll see what happens. At least, I have some basic understanding of IT auditing. Also, I come from an IS background and those firms probably hire accountants.
tphan3 wrote: » Hey man, I am in a similar situation. I just graduated from my grad school last May. I don't have any experience yet but still managed to pass all big certs in my first try with high scores. However, I got my job as a cybersecurity consultant (Risk Assurance like the one you said) 2 years ago after getting my Sec+, but I delayed the work (and the company agreed to wait for me too) to finish my MBA. I showed my employer that cybersecurity would be the thing that I wanted to do. You probably don't need to pass CISA to get a job, but passing CISA will definitely make job finding easier. You need to show passion for the job, and passing the CISA is one of the way to do so and to get through the HR filter. Don't worry, you probably get more interview calls now, and good luck because you will need it.
