Financial auditor - Passed CISA
Hi everyone,
I see a whole bunch of posts out there by people with Infosec experience switching over to audit but very few threads for people currently in external financial statement audit taking on CISA. Thought I would share some of my experience and fill the void.
Background: Accounting grad,been in public practice for 4 years specializing in public sector financial audits. Work for one of the national big 6 firms (in other words, not big 4). Qualified CPA, currently an audit senior. 0 experience in infosec, although I got A+ and Network+ (I still remember the OSI model!!) for fun back when I was a high school student and worked at a local computer store.
Approach: Purchased a official book, sybex book, the all-in-one book and database. I got the Sybex book first, book was hard to read, there were a lot of things he said that I disagreed with audit wise and his tone was condescending which I really hated. My second book was the AIO, this one was way better and I actually read up to chapter 3 before I called it quits... too boring. Finally, I caved and bought the official book (thank god work paid for all of it), this one I ended up skimming as I only had a month to study by this point. About a week before the exam, I started tackling the database, I did about 200 questions a day for 6 days in a row and by the end I was averaging 60~70% and 30s/question. Took 2 days off and on the day before the exam, I registered the Sybex book and took one of the practice exams (199 questions) and got 70%. I figured this is good enough besides there wasn't much I could do with just 10 hours before the exam.
Exam: Exam was very similar to the database and the Sybex practice exam. No memorization required, most questions can be answered based on common sense and knowing how ISACA likes to test you. 0 technical questions like Firewall implementation or PKI... Overall, I thought the exam was too easy. I feel bad for the really technical guys as the technical topics are not tested at all. I finished the exam in a little over an hour and another hour mulling over the ones I wasn't sure about.
Advice to financial auditors: If you know how to audit... you can pass this exam. This is essentially an audit exam with a slight IT spin. I recommend skipping the third party books, get the official one, skim chapter 3, 4 and 5. Practice taking those questions and learn to look out for those bolded key words in the questions :"FIRST, MOSTLY, BEST...etc.". Finally, don't get hung up over the technical details, chances are, you will miss one or two question per technical topic. Who cares, when the pass mark is so low and there are so many questions.
Hope this helps and let me know if you have questions.
I see a whole bunch of posts out there by people with Infosec experience switching over to audit but very few threads for people currently in external financial statement audit taking on CISA. Thought I would share some of my experience and fill the void.
Background: Accounting grad,been in public practice for 4 years specializing in public sector financial audits. Work for one of the national big 6 firms (in other words, not big 4). Qualified CPA, currently an audit senior. 0 experience in infosec, although I got A+ and Network+ (I still remember the OSI model!!) for fun back when I was a high school student and worked at a local computer store.
Approach: Purchased a official book, sybex book, the all-in-one book and database. I got the Sybex book first, book was hard to read, there were a lot of things he said that I disagreed with audit wise and his tone was condescending which I really hated. My second book was the AIO, this one was way better and I actually read up to chapter 3 before I called it quits... too boring. Finally, I caved and bought the official book (thank god work paid for all of it), this one I ended up skimming as I only had a month to study by this point. About a week before the exam, I started tackling the database, I did about 200 questions a day for 6 days in a row and by the end I was averaging 60~70% and 30s/question. Took 2 days off and on the day before the exam, I registered the Sybex book and took one of the practice exams (199 questions) and got 70%. I figured this is good enough besides there wasn't much I could do with just 10 hours before the exam.
Exam: Exam was very similar to the database and the Sybex practice exam. No memorization required, most questions can be answered based on common sense and knowing how ISACA likes to test you. 0 technical questions like Firewall implementation or PKI... Overall, I thought the exam was too easy. I feel bad for the really technical guys as the technical topics are not tested at all. I finished the exam in a little over an hour and another hour mulling over the ones I wasn't sure about.
Advice to financial auditors: If you know how to audit... you can pass this exam. This is essentially an audit exam with a slight IT spin. I recommend skipping the third party books, get the official one, skim chapter 3, 4 and 5. Practice taking those questions and learn to look out for those bolded key words in the questions :"FIRST, MOSTLY, BEST...etc.". Finally, don't get hung up over the technical details, chances are, you will miss one or two question per technical topic. Who cares, when the pass mark is so low and there are so many questions.
Hope this helps and let me know if you have questions.
Comments
-
fatherplease Member Posts: 10 ■□□□□□□□□□Nicely done . CongratulationsI feel as if I were a piece in a game of chess, when my opponent says of it: That piece cannot be moved.- Soren Kierkegaard
-
cisanut Member Posts: 15 ■□□□□□□□□□Thanks for the advice, jokkon. I have a financial & operational audit background and found your comments very encouraging!
-
cisanut Member Posts: 15 ■□□□□□□□□□I took the CISA exam and got a preliminary pass today! I would say jokkon is right, if you know how to audit, you can pass the exam. Just use the ISACA QAE DB to learn the IT terminology and concepts. The exam felt quite conceptual to me though, so you do need to apply what you've learned to pass it.
-
averageguy72 Member Posts: 323 ■■■■□□□□□□Congrats!CISSP / CCSP / CCSK / CRISC / CISM / CISA / CASP / Security+ / Network+ / A+ / CEH / eNDP / AWS Certified Advanced Networking - Specialty / AWS Certified Security - Specialty / AWS Certified DevOps Engineer - Professional / AWS Certified Solutions Architect - Professional / AWS Certified SysOps Administrator - Associate / AWS Certified Solutions Architect - Associate / AWS Certified Developer - Associate / AWS Cloud Practitioner
-
skyberx Member Posts: 14 ■■□□□□□□□□Congrats! I am a fresher and recent CPA passer and I just got in big 4 this month in the Assurance service line. I became a CPA because my mother wanted me to but my heart has always been in IT. I just wanna ask, should I pursue being in the Financial Audit? Will I gain enough knowledge to pass CISA someday within my field. I am planning to switch to advisory tho.
-
cisanut Member Posts: 15 ■□□□□□□□□□@skyberx,
Congratulations on being a recent CPA passer! I would recommend you to at least stay in financial audit long enough to get your CPA signed off. You might want to consider transferring to the IT Audit side of your firm after that. The financial/IT audit experience will help you to pass the CISA. Having a CPA & a CISA is a great combo! -
scasc Member Posts: 465 ■■■■■■■□□□Ditto with this comment, as someone who has worked in 3 of the big 4 most recently with PwC as an Associate Director I can confirm that having the aforementioned is very valuable.@skyberx,
Congratulations on being a recent CPA passer! I would recommend you to at least stay in financial audit long enough to get your CPA signed off. You might want to consider transferring to the IT Audit side of your firm after that. The financial/IT audit experience will help you to pass the CISA. Having a CPA & a CISA is a great combo!AWS, Azure, GCP, ISC2, GIAC, ISACA, TOGAF, SABSA, EC-Council, Comptia... -
scasc Member Posts: 465 ■■■■■■■□□□Which area of advisory are you interested in? With the CISA you can move into Cyber - which is where I work. But depends on your goals and aspirations. Alternatively Risk is a big area too and the CISA will help here also.Congrats! I am a fresher and recent CPA passer and I just got in big 4 this month in the Assurance service line. I became a CPA because my mother wanted me to but my heart has always been in IT. I just wanna ask, should I pursue being in the Financial Audit? Will I gain enough knowledge to pass CISA someday within my field. I am planning to switch to advisory tho.AWS, Azure, GCP, ISC2, GIAC, ISACA, TOGAF, SABSA, EC-Council, Comptia...
-
skyberx Member Posts: 14 ■■□□□□□□□□Which area of advisory are you interested in? With the CISA you can move into Cyber - which is where I work. But depends on your goals and aspirations. Alternatively Risk is a big area too and the CISA will help here also.
-
scasc Member Posts: 465 ■■■■■■■□□□How far down the line are you with your CPA? If you have done quite a bit then complete it and in the interim network. How the big 4 works is by networking with the right folks. ITRA is EY's old TSRS (Tech Security and Risk Services team) - they have rebranded to ITRA which is essentially the same thing.
Whenever you encompass an IT Audit you focus mainly on IT General Controls (ITGC) - i.e. Controls around Logical access, Change management and IT Operations. One part of Cyber enhances the viewpoint by understanding what the threat vector is (i.e. threat modelling) and thus determining controls you need to protect against all types of threat actors you face (i.e. DLP, Crypto, Configuration, OS hardening, secure remote access etc). I guess this is the area of Cyber you can relate to since CISA is something you aspire to do.
On the other hand Cyber gets more complex and technical -> From Cloud/Architecture design to the more Ethical hacking/Incident Response/Forensic elements.
Depends on your passion and where you want to head but the key thing is to network with the right people, understand their projects, what they do and see if you can even now help them (does not have to be chargeable). Bottom line is that Big 4 is about networking with right contacts to get what you want. Cyber is big these days so there is nothing stopping you obtaining the CISA and jumping to another Big 4 firm with a higher salary. Just need to play your cards rightI dont have any specific goals yet, I just want to compise my profession eith my passion which I think I can achieve by becoming a CISA. There's ITRA (IT Risk and Assurance) in our firm. I also view linkedin profiles of some CISA and they are from Cyber. Can you tell me more about Cyber?AWS, Azure, GCP, ISC2, GIAC, ISACA, TOGAF, SABSA, EC-Council, Comptia... -
john_cisa Registered Users Posts: 3 ■□□□□□□□□□Thank you very much Jokkon your comments encouraged me while i am preparing exam.
-
Gourav_ssdn Registered Users Posts: 4 ■■□□□□□□□□Thanks for the giving info ,it certainly encourages everyone.The official book you mentioned is the CISA review manual 26th edition?
-
LarryForm Member Posts: 21 ■□□□□□□□□□Thanks and Congratulations Jakkon.
As you said, I am one of those all-Tech people who will soon go in for the CISA. Your comments above are so true especially after going through the QAE Database.
For the past three year, I have been the contact person at my company for auditing our technology infrastructure (ISO 27001-2013 Security audit) and just by going through this with them, I have learned a lot especially comparing what they do to what I see in the AIO material for CISA.
If there is any other material you can think was helpful as you prepared for the exam, please let me know.
Again, Congratulations. -
SK_Tan Member Posts: 1 ■□□□□□□□□□Hi,
I am an Internal Auditor with Financial and Operational-focused. I'll be completing my CIA soon and thinking of taking the CISA right after this (due to the importance and emphasis been placed in IT auditing). What's your view on this switch? Is this common, and how easy (or difficult) it is? -
jokkon Member Posts: 7 ■■□□□□□□□□SK_Tan said:Hi,
I am an Internal Auditor with Financial and Operational-focused. I'll be completing my CIA soon and thinking of taking the CISA right after this (due to the importance and emphasis been placed in IT auditing). What's your view on this switch? Is this common, and how easy (or difficult) it is?
It's been a few years since I passed the exam now and I have since moved into industry and currently working as a senior IA in a large company. I think transitioning from Ext to Int was not as easy as I thought it was going to be. Often in Ext Audit, we use management assertions to guide our approach, like the good'ol CEAV. However when you are auditing a company or division's data governance structure, it is not as easy. Sometimes you can't even find a policy to audit against!
I found some resources over the past few years that are pretty helpful, mostly best practices so I can based my audit programs on: (Can't post links, so just google the below)
CIS Top controls
IIA GTAG
CISA journals and audit programs.
These days, I take a good chunk of time planning my audits, doing research, interviewing, scoping, risk assessment... by the time I am done planning, I already know what my audit report is going to look like, fieldwork is just validating some of my findings from planning.
Would love to hear what other ppl's experience are like making the transition.