This document provides an overview of the roles and certifications available for assurance professionals working with information systems. It discusses why IS auditing is important given regulations like Sarbanes-Oxley that require verifying system controls. Common certifications include CISA, CISM, and CGEIT from ISACA, which focus on auditing, security management, and IT governance respectively. The CISSP from (ISC)2 demonstrates broad security knowledge, while the GIAC GSNA tests systems and network auditing skills. Obtaining certifications provides credibility, ensures competence, and allows professionals to efficiently add value through activities like risk assessments, security evaluations, and enhancing audit effectiveness.

1. An overview
for assurance professionals
Asif Virani
ACC626 – Professor M. Datardina
July 5, 2012

2. • Why should I care?
• Why an IS professional?
• Types of engagements
• Certifications:
• ISACA
• CISA
• CISM
• CGEIT
• (ISC)2
• CISSP
• GIAC
• GSNA
• Concluding thoughts

3. • With advent of Sarbanes-Oxley, auditors must verify that
“controls are in place and working correctly”
• Information integrity depends on system integrity: “if the
security or integrity of the information system can be
compromised, then the information in them can be
compromised”
• Canadian Auditing Standard 315
• Identifying and Assessing the Risks of Material Misstatement
through Understanding the Entity and its Environment
• For smaller companies, information systems are simpler
but their role is still significant
• Important to understand and evaluate a client’s IT system
regardless of its size

4. • Increased efficiency and effectiveness of audits,
identification of system vulnerabilities, input on risk
assessment and the control environment,
recommendations and advice
• Companies need to be aware of risks surrounding
information security
• Help clients manage their risks and maximize their
benefits from using emerging technologies

5. • Financial statement audits
• Internal control design and effectiveness (CSAE3416 reports,
etc.)
• Internal audit function
• Designing and implementing secure systems
• EC-Council Secure Programmer (ECSP)
• EC-Council Secure Application Designer (ECSAD)
• Certified Secure Software Lifecycle Professional (CSSLP)
• GIAC Secure Software Programmer (GSSP)
• Security assessments and responses, monitoring
• Specialized certifications
• Ethical hacking, penetration testing, computer hacking forensics,
intrusion analysis, web application security

6. • Information Systems Audit and Control Association
(ISACA)
• Certified Information Systems Auditor (CISA)
• Certified Information Security Manager (CISM)
• Certified in the Governance of Enterprise IT (CGEIT)
• International Information Systems Security Certification
Consortium ((ISC)2)
• Certified Information Systems Security Professional (CISSP)
• Global Information Assurance Certification (GIAC)
• GIAC Systems and Network Auditor (GSNA)

7. • Governing body for IS audit and control professionals
• 4 designations in audit, security and IT governance
• Professional Code of Ethics
• Continuing Professional Education program
• Compliance with ISACA standards (CISA)
• Certification exams
• Work experience requirement

8. • “Leverage standards, manage vulnerabilities, ensure
compliance, offer solutions, institute controls and deliver
value to the enterprise”
• Requirements:
• CISA exam
• Minimum 5 years work experience
• Code of Ethics and CPE
• IS Auditing Standards as adopted by ISACA

9. • Job practice areas:
• Process of auditing systems
• Governance and management of IT
• Information systems acquisition, development and implementation
• Information system operations, maintenance and support
• Protection of information assets
• Bottom line:
• Professional familiar with and can perform IT audits
• Provide assistance understanding IT system, performing risk
assessments and controls testing
• Enhance the audit function by analyzing and auditing IT
aspects, providing greater audit effectiveness and efficiency
• Invaluable when preparing special reports (CSAE3416, etc.)

10. • “Build and manage information security programs… bring
a comprehensive view of information security
management and its relationship with organizational
success”
• Requirements:
• CISM exam
• Minimum 5 years information security work experience, with
minimum 3 years in information security management or in 3 or
more of the job practice areas
• Code of Ethics and CPE

11. • Job practice areas:
• Information security governance
• Information risk management and compliance
• Information security program development and management
• Information security incident management
• Bottom line:
• Focus on information system security program management,
governance, compliance and risk management
• Link between upper management and information security function
• Help understand and advise on security environment at client
organizations

12. • Ability to “discuss critical issues around governance and
strategic alignment… grasps the complex subject
holistically and therefore enhances value to the
enterprise”
• Requirements:
• CGEIT exam
• Minimum 5 years work experience managing, serving in advisory
or oversight role, and/or otherwise supporting IT governance, with
minimum 1 year experience related to developing and/or
maintenance of IT governance framework
• Code of Ethics and CPE

13. • Job practice areas:
• IT governance framework
• Strategic alignment
• Value delivery
• Risk management
• Resource management
• Performance measurement
• Bottom line:
• CGEITs “deliver on corporate business goals, more successful IT
implementation, secure environment and more agile business
processes… greater returns on IT investments”
• Provide client value with advice on management of IT assets
• Help build and evaluate business cases for IT investments for
clients

14. • Certifying body for a number of information security-
related designations
• Professionals with (ISC)2 credentials differentiate
themselves as knowledgeable in general and specific
areas of IT security
• Provide value to security functions

15. • “Develop policies and procedures in information
security… define architecture, design, management
and/or controls that assure security of business
environments”
• Requirements:
• CISSP exam
• Minimum 5 years professional security work experience in at least
2 of 10 domains of the core body of knowledge
• Code of Ethics and CPE
• Endorsement form signed by active (ISC)2 certified member

16. • Knowledge domains:
• Access control, telecommunications and network security, information
security governance and risk management, software development
security, cryptography, security architecture and design, operations
security, business continuity and disaster recovery planning,
legal/regulations/investigations compliance, and physical
(environmental) security
• Bottom line:
• Very good overall view of security and different aspects requiring
consideration
• Help identify and design security setups and provide overall
assessments of the security environment
• Assist in gaining an understanding of the business and control
environment, identifying control weaknesses and system
vulnerabilities, focusing audit work and areas of testing for assurance
practitioner

17. • Technical certification demonstrating competence in
systems and network auditing
• Focus on processes, assessments and testing
• Requirement:
• GSNA exam
• Testing areas:
• Audit methodology, risk management, auditing firewalls, intrusion
detection systems, network services, critical systems, networking
devices, Unix and Windows systems, and web applications and
servers

18. • GSNAs often engaged to perform specific testing on
systems
• GIAC does not govern GSNAs or other GIAC-certified
professionals
• No professional code of ethics
• No CPE requirement, but recertification required every 4 years
• Bottom line:
• Valuable team member who understands objectives of an audit
• Increased efficiency and effectiveness of audits through technical
testing and auditing of IT systems and networks

19. • Certification provides credibility, attests to the fact that
they take their role and industry seriously, are competent
in a strong body of core knowledge, have familiarity of
industry topics
• In choosing the appropriate professional, requirements
should be properly defined and planned
• Greater efficiency and effectiveness of work, increased
delivery and service opportunities to clients, reduced
exposure to more stringent auditing standards
• Heightened credibility of firm, rewarding relationships
with professionals in other areas of expertise, increased
value creation for clients

20. Questions and comments can be forwarded to
Asif Virani
School of Accounting and Finance, University of Waterloo
Waterloo, ON Canada
a3virani@uwaterloo.ca