Proving I passed CISA exam?

1Sep1969

I passed the CISA exam in June and received my results today. I won't certified until I get 2 or 3 years of work experience. However, when I apply for positions, I want show potential employers that I passed the CISA exam. Exactly how can I present "evidence"? Would the "Print Results Letter" on my ISACA.org account be good enough?

If I write a cover letter and state that I passed the exam, should I attach the results letter?

The letter shows the results instead of just stating pass. I did not barely pass, but wouldn't be better if it doesn't show the numbers (though it's not like the numbers mean anything, since it's not percentage based)?

636-555-3226

You can say you passed it, and have the print-out from the site (or the letter) saying you passed it, but what's the point? If I'm hiring an internal auditor or a consulting-company auditor, I want someone experienced in auditing IT systems. Someone who passed the test, but doesn't have any experience, isn't really what I want to pay for. I know it isn't great news, but that's my own personal opinion. Real-world experience/skills trumps a guy who can study for & pass a test any day.

1Sep1969

636-555-3226 wrote: »

You can say you passed it, and have the print-out from the site (or the letter) saying you passed it, but what's the point? If I'm hiring an internal auditor or a consulting-company auditor, I want someone experienced in auditing IT systems. Someone who passed the test, but doesn't have any experience, isn't really what I want to pay for. I know it isn't great news, but that's my own personal opinion. Real-world experience/skills trumps a guy who can study for & pass a test any day.

I'm a graduate student trying to get in the field of IT auditing. I passed the CISA exam to set myself apart from other candidates. Audit firms are probably what I should aim for, but I've heard that some companies do hire graduates without experience.

If all you're going to do is hire experienced auditors, how are the inexperienced ones going to get hired and move forward? From what I understand, there's a shortage, too. We're probably more eager to learn and prove ourselves than the experienced ones. And also bring fresh ideas.

jamesleecoleman

1Sep1969 wrote: »

I'm a graduate student trying to get in the field of IT auditing. I passed the CISA exam to set myself apart from other candidates. Audit firms are probably what I should aim for, but I've heard that some companies do hire graduates without experience.

If all you're going to do is hire experienced auditors, how are the inexperienced ones going to get hired and move forward? From what I understand, there's a shortage, too. We're probably more eager to learn and prove ourselves than the experienced ones. And also bring fresh ideas.

You could volunteer somewhere and while doing IT stuff, perform audits. If you want experience, you're gonna have to try and create work for yourself.

xdbuix

636-555-3226 wrote: »

You can say you passed it, and have the print-out from the site (or the letter) saying you passed it, but what's the point? If I'm hiring an internal auditor or a consulting-company auditor, I want someone experienced in auditing IT systems. Someone who passed the test, but doesn't have any experience, isn't really what I want to pay for. I know it isn't great news, but that's my own personal opinion. Real-world experience/skills trumps a guy who can study for & pass a test any day.

All very valid points. All I would suggest is to grab any sort of experience related to IT. I would even suggest starting at the help desk and working up towards IT Auditing just so you get to see the little details along the way. To be completely honest with you, my help desk position is still the one job that taught me the most in my IT career!

Either way, good luck!

jcundiff

1Sep1969 wrote: »

I'm a graduate student trying to get in the field of IT auditing. I passed the CISA exam to set myself apart from other candidates. Audit firms are probably what I should aim for, but I've heard that some companies do hire graduates without experience.

If all you're going to do is hire experienced auditors, how are the inexperienced ones going to get hired and move forward? From what I understand, there's a shortage, too. We're probably more eager to learn and prove ourselves than the experienced ones. And also bring fresh ideas.

IT Audit is not an entry-level gig, hate to break that to you... you need to have experience on and understand how IT systems should operate and how to properly secure them. Thats not stuff that you are going to pick up from a book or class. Find you a job in IT and work toward moving into audit. I had been in IT for 15 years before I started doing audits ( dont think you need that much experience, but at least 3-5 years). As 636-555-3226 said experience trumps passing an exam... I would hire an experienced auditor, with even just a couple of years experience than some one who just passed a test... there is a reason that these certs have an experience requirement to obtain the cert in addition to passing the exam

wd40

I am CISA certified and I have no Audit experience (you need to have experience in any of the Job Practice Domains to be certified)

But I do agree that this would make it difficult for me to get an IT Audit job, may be you should try to get an intern job at a Big Audit firm.

Job Practice Areas 2016

1Sep1969

jcundiff wrote: »

IT Audit is not an entry-level gig, hate to break that to you... you need to have experience on and understand how IT systems should operate and how to properly secure them. Thats not stuff that you are going to pick up from a book or class. Find you a job in IT and work toward moving into audit. I had been in IT for 15 years before I started doing audits ( dont think you need that much experience, but at least 3-5 years). As 636-555-3226 said experience trumps passing an exam... I would hire an experienced auditor, with even just a couple of years experience than some one who just passed a test... there is a reason that these certs have an experience requirement to obtain the cert in addition to passing the exam

You probably know better than I do, but before I took the exam, I was told that I can't pass it without work experience. Not true (in my case). IT audit not entry level? Graduates get hired by audit firms. The IT auditors I met at audit firms were from accounting background and hardly tech savvy (much less than me), although I know they are more accounting focused. I know one graduate who passed the exam and got hired by an audit firm mainly because he had passed the exam. Two students were hired from my professor's class by a company and trained as IT auditors (because there's a shortage).

xxxkaliboyxxx

1Sep1969 wrote: »

You probably know better than I do, but before I took the exam, I was told that I can't pass it without work experience. Not true (in my case). IT audit not entry level? Graduates get hired by audit firms. The IT auditors I met at audit firms were from accounting background and hardly tech savvy (much less than me), although I know they are more accounting focused. I know one graduate who passed the exam and got hired by an audit firm mainly because he had passed the exam. Two students were hired from my professor's class by a company and trained as IT auditors (because there's a shortage).

Just to throw in there, accountants have audit experience, just saying.

1Sep1969

xxxkaliboyxxx wrote: »

Just to throw in there, accountants have audit experience, just saying.

No experience is required to get hired by Risk Assurance. The accountants probably learned auditing in school, whereas IS graduates don't, but I'm not sure how much experience they had in auditing before they moved to Risk Assurance (as I said, some get hired straight from school).

jcundiff

1Sep1969 wrote: »

The letter shows the results instead of just stating pass. I did not barely pass, but wouldn't be better if it doesn't show the numbers (though it's not like the numbers mean anything, since it's not percentage based)?

Make a copy and block the scores out with a sharpie and make more copies to attach with your resume, if you do not want potential employers knowing your score... but be prepared should you get an interview to discuss why you redacted them.

jcundiff

1Sep1969 wrote: »

No experience is required to get hired by Risk Assurance. The accountants probably learned auditing in school, whereas IS graduates don't, but I'm not sure how much experience they had in auditing before they moved to Risk Assurance (as I said, some get hired straight from school).

So you are able to identify risks, develop mitigation plans and controls to reduce to an acceptable level per the client company's risk appetite, document everything in the risk register you developed, and determine correct schedule of review and approvals without experience? Accounting/Financial auditing is significantly different than IT audits... sure there is some process overlap but there are huge differences. I preformed audits (Security Risk assessments) on our vendors for several years ( onshore and offshore [meaning I was boots on the ground in India for 4-6 weeks at a time a couple times a year]) you know why I was assigned this ? Because I had experience ...

I will say again, I (most IT/IS hiring managers as well) will hire someone with no degree and no certs with 1-2 years boots on the ground experience before someone with a degree and passed a certification exam but has zero experience... your mileage may vary...

1Sep1969

jcundiff wrote: »

So you are able to identify risks, develop mitigation plans and controls to reduce to an acceptable level per the client company's risk appetite, document everything in the risk register you developed, and determine correct schedule of review and approvals without experience? Accounting/Financial auditing is significantly different than IT audits... sure there is some process overlap but there are huge differences. I preformed audits (Security Risk assessments) on our vendors for several years ( onshore and offshore [meaning I was boots on the ground in India for 4-6 weeks at a time a couple times a year]) you know why I was assigned this ? Because I had experience ...

I will say again, I (most IT/IS hiring managers as well) will hire someone with no degree and no certs with 1-2 years boots on the ground experience before someone with a degree and passed a certification exam but has zero experience... your mileage may vary...

I was not referring to Accounting/Financial auditing. The Risk Assurance group of audit firms is focused on IT audits, and they hire graduates with little or no experience. It's not the average IT auditor or IT professional with experience and family who is going to want to work long hours for little pay. Some students were hired by large companies and trained to become IT auditors. Again, I don't want to make it sound like I know much, and when it comes to the field of IT auditing, the advice I get is as varied as the topics covered by the CISA exam. Everyone says something different.

jcundiff wrote: »

Make a copy and block the scores out with a sharpie and make more copies to attach with your resume, if you do not want potential employers knowing your score... but be prepared should you get an interview to discuss why you redacted them.

That might sound like I'm hiding something. I'm not sure if it's necessary to hide the marks. They're not terrible, but it's not like ISACA marks mean much.

636-555-3226

I have to admit, my infosec dept is audited every year by the big box global auditing firms (you'd know their names), and we always get some fresh newbie out of school who asks a few questions from a questionnaire, but you can tell he has no idea what he's doing. Literally every year it's just "show me a screenshot of your AD enterprise & domain admins from the MMC snap-in, show me your password reqts GPO, and show me a backup log indicating you're backing things up every 24 hours. as long as the number of EAs & DAs doesn't go up, our password reqts are complex + 8 chars, and our text logfiles indicate a backup occurred (successful or not...) in the last 24 hours, we pass with a green "Low Risk" rating (HA!). in talking with the people every year (it's always a new newbie), none of them have any idea what a domain admin is or does, and none of them have any idea that an 8 character AD password, complex or not, is absolute rubbish.

In other words, there's hopes for newbies everywhere, just don't expect a lack of experience or understanding of the material (which comes with that experience) to actually let you help your auditees very much. you'll get the job and the paycheck, but what kind of actual value will you provide other than that compliance checkbox most companies need?

1Sep1969

636-555-3226 wrote: »

I have to admit, my infosec dept is audited every year by the big box global auditing firms (you'd know their names), and we always get some fresh newbie out of school who asks a few questions from a questionnaire, but you can tell he has no idea what he's doing. Literally every year it's just "show me a screenshot of your AD enterprise & domain admins from the MMC snap-in, show me your password reqts GPO, and show me a backup log indicating you're backing things up every 24 hours. as long as the number of EAs & DAs doesn't go up, our password reqts are complex + 8 chars, and our text logfiles indicate a backup occurred (successful or not...) in the last 24 hours, we pass with a green "Low Risk" rating (HA!). in talking with the people every year (it's always a new newbie), none of them have any idea what a domain admin is or does, and none of them have any idea that an 8 character AD password, complex or not, is absolute rubbish.

In other words, there's hopes for newbies everywhere, just don't expect a lack of experience or understanding of the material (which comes with that experience) to actually let you help your auditees very much. you'll get the job and the paycheck, but what kind of actual value will you provide other than that compliance checkbox most companies need?

Again, everyone says something different. Had I not taken the CISA exam, you would have told me that I can't get a passing score without work experience. Well, I proved everyone wrong.

I guess they should be training those newbie auditors? Well, I don't know. We'll see what happens. At least, I have some basic understanding of IT auditing. Also, I come from an IS background and those firms probably hire accountants.

jcundiff

nobody here would have told you that you couldnt pass without experience... we may have told you it would be extremely difficult... there was a guy here who studied and studied and passed the CISSP his 2nd time around with no experience... its possible, just hard

feydrax

Well, I have a similar question but on a different context.

Is the results slip that is available on ISACA website the only proof that I have passed my examination? My employer wants to know if ISACA issues any official hardcopy certificate or result slip to show that I have passed the exam.

cfirsten

feydrax wrote: »

Well, I have a similar question but on a different context.

Is the results slip that is available on ISACA website the only proof that I have passed my examination? My employer wants to know if ISACA issues any official hardcopy certificate or result slip to show that I have passed the exam.

I can tell you that for me, when I took it on paper, they sent me a letter with the same results that can be seen on the website. Don't know if they will issue one since they've moved to the CBT, however they did send me an email with the results. I don't know why you couldn't use that email and print it out.

cfirsten

636-555-3226 wrote: »

.......... in talking with the people every year (it's always a new newbie), none of them have any idea what a domain admin is or does, and none of them have any idea that an 8 character AD password, complex or not, is absolute rubbish.


.........
you'll get the job and the paycheck, but what kind of actual value will you provide other than that compliance checkbox most companies need?

From my limited experience with auditing, 4+ years, I have learned and have been taught by people smarter than me, that that's all you can do, ask. Don't confuse investigations with auditing, the way we perform auditing is pretty much the same way you described: do you do this, how about that? That's all I can do, I'm not there to impede with their business, I'm there to assess the state of the systems. We are also not allowed to sit at the keyboards and/or interact with their systems, we only ask questions and we fill out questionnaires. If you tell me you have complexity enabled on the DCs sure, who am I to argue. Can you disable the GPO one minute after I'm out the door? Sure, who am I to argue.


I don't want to provide value man, I just want a paycheck, the bigger the better. Especially in the auditing business the sooner you're out the door the more they'll like you. Me? Just like you said, I don't care anymore, it's always about the money for me. But that's just me and we all know the story with the opinions .

feydrax

cfirsten wrote: »

I can tell you that for me, when I took it on paper, they sent me a letter with the same results that can be seen on the website. Don't know if they will issue one since they've moved to the CBT, however they did send me an email with the results. I don't know why you couldn't use that email and print it out.

Strangely my HR doubts on the result slip that was printed out. I guess she's just too confused to look at the marks from the different domains there.

I think she just wants a big piece of papers saying XXX HAS PASSED CISA EXAM kind of thing.

I really have no idea how the delicate minds of HR works

tphan3

1Sep1969 wrote: »

Again, everyone says something different. Had I not taken the CISA exam, you would have told me that I can't get a passing score without work experience. Well, I proved everyone wrong.

I guess they should be training those newbie auditors? Well, I don't know. We'll see what happens. At least, I have some basic understanding of IT auditing. Also, I come from an IS background and those firms probably hire accountants.

Hey man, I am in a similar situation. I just graduated from my grad school last May. I don't have any experience yet but still managed to pass all big certs in my first try with high scores. However, I got my job as a cybersecurity consultant (Risk Assurance like the one you said) 2 years ago after getting my Sec+, but I delayed the work (and the company agreed to wait for me too) to finish my MBA. I showed my employer that cybersecurity would be the thing that I wanted to do. You probably don't need to pass CISA to get a job, but passing CISA will definitely make job finding easier. You need to show passion for the job, and passing the CISA is one of the way to do so and to get through the HR filter. Don't worry, you probably get more interview calls now, and good luck because you will need it.

1Sep1969

tphan3 wrote: »

Hey man, I am in a similar situation. I just graduated from my grad school last May. I don't have any experience yet but still managed to pass all big certs in my first try with high scores. However, I got my job as a cybersecurity consultant (Risk Assurance like the one you said) 2 years ago after getting my Sec+, but I delayed the work (and the company agreed to wait for me too) to finish my MBA. I showed my employer that cybersecurity would be the thing that I wanted to do. You probably don't need to pass CISA to get a job, but passing CISA will definitely make job finding easier. You need to show passion for the job, and passing the CISA is one of the way to do so and to get through the HR filter. Don't worry, you probably get more interview calls now, and good luck because you will need it.

Thanks! It's always nice to hear from grads who are in a similar situation. I haven't had time to send out my application since I passed the exam. Summer time, so many things happening and traveling... However, I have been volunteering at my local ISACA chapter since February. That has been enjoyable and kept me busy. Honestly, I find the whole job search process (networking, interviews, etc) more challenging than preparing for an exam like CISA. It's just a hassle and a waste of time. I can instead be doing something more productive, which won't happen until I get hired.

mattf73

Between two similar candidates, if you have taken the time and effort to pass the CISA exam that can only work in your favour. Use it to demonstrate your interest in the field. Most people do it because their boss sent them on a bootcamp, or it's a job requirement, so your willingness to back yourself is a real positive.
I would suggest mentioning you passed the exam on your resume, and as you are volunteering at your local ISACA chapter ask if your contacts there would be willing to provide a reference. Your local chapter is probably the best place to find a job too.

gkhizer

Screw what people think. Have these people have crappy support jobs losing hair waiting for the next star wars to come out.
CISA and CISSP is where its at. Only big companies look at you when you have these credentials.

I am working on my CISA right now. I can tell you this if you want experience MOVE!. Look at the jobs in UK. There are so many for entry level guys. I am in Canada right now and I will move where ever to get that experience because after a year or two your set.

My degree was theorietical there is no point for me to pursue anything technical. Look at BA roles and or project coordinator roles because those skills are transferable.

Don't waste your time with MSCE CCNA. In the next ten years these jobs are going to INDIA. Plus the blow.
Sign up for Linux academy, get some technical exposure when you are free.

Hang in there! I studied for my CCNA which got me help desk roles. Lifes to short to be fixing printers.

josephandre

lol. why is there any advice in here other than how to prove he passed the exam. that was his question.