+ Reply to Thread
Results 1 to 16 of 16
  1. Junior Member
    Join Date
    Jun 2016
    Posts
    11
    #1

    Default Certifications to take for a new IT auditor with no IT background

    I'm blessed with this opportunity to join a firm as a junior IT audit & risk personnel soon.

    I'm from an Accounting & Finance background and do not have any prior IT related education.

    I understand that there tonnes of certifications which will be of great benefit for me, but I'd like to know which is the most relevant certification that I can prioritize to give me the relevant knowledge to kick start my career in this field.

    My own research says CISA, but I'd like to know your opinions too.

    What other practical knowledge or projects that a beginner like me can attempt?

    Many thanks!
    Reply With Quote Quote  

  2. SS -->
  3. I drink and I know things Ertaz's Avatar
    Join Date
    Jan 2006
    Posts
    658

    Certifications
    CISSP, CASP, CSA+, GPEN, CCNA Cyber Ops, Security+, MCP
    #2
    Quote Originally Posted by feydrax View Post
    I'm blessed with this opportunity to join a firm as a junior IT audit & risk personnel soon.

    I'm from an Accounting & Finance background and do not have any prior IT related education.

    I understand that there tonnes of certifications which will be of great benefit for me, but I'd like to know which is the most relevant certification that I can prioritize to give me the relevant knowledge to kick start my career in this field.

    My own research says CISA, but I'd like to know your opinions too.

    What other practical knowledge or projects that a beginner like me can attempt?

    Many thanks!

    Security+ would be a good technical starter imo. Then on to CISA.
    Reply With Quote Quote  

  4. Senior Member
    Join Date
    May 2006
    Posts
    1,863

    Certifications
    CISSP, CCSP, eJPT, ITIL,PA ACE,Qualys Certified Specialist, A+
    #3
    Quote Originally Posted by feydrax View Post
    I'm blessed with this opportunity to join a firm as a junior IT audit & risk personnel soon.

    I'm from an Accounting & Finance background and do not have any prior IT related education.

    I understand that there tonnes of certifications which will be of great benefit for me, but I'd like to know which is the most relevant certification that I can prioritize to give me the relevant knowledge to kick start my career in this field.

    My own research says CISA, but I'd like to know your opinions too.

    What other practical knowledge or projects that a beginner like me can attempt?

    Many thanks!
    Your research is correct, you can take the CISA but you will not be granted the certification. As per the the ISACA website, you need a minium of 5 years experience on the job on the below areas. With that said, you can go for the Security+, it will help you more because it is a bit more technical and will be a good foundation for the CISA.

    How to Become CISA Certified

    Job Practice Areas 2016
    Reply With Quote Quote  

  5. Junior Member
    Join Date
    Jun 2016
    Posts
    11
    #4
    Thanks for the recommendation! It seems like Security+ can be something for me to look into for now.

    Applying that to my current situation, should I focus more on theoretical concepts first or technical knowledge to make myself useful as early as possible?
    Reply With Quote Quote  

  6. Junior Member Registered Member
    Join Date
    Mar 2015
    Posts
    5

    Certifications
    OSCP, CISSP, CISA
    #5
    In terms of practical knowledge to start out, https://itauditsecurity.wordpress.co...auditors-know/ is a good list of basic items that you will want to understand.

    I would definitely focus your efforts on the "IT" part as the "auditor" part you'll get pretty quickly on the job. I've been an IT Auditor for four years, and my certification path has been Security+ > CIA > CISA > CISSP. I would definitely recommend this path with the possible exception of the CIA as there will be some overlap with your accounting background, and probably unnecessary if you have a CPA.
    Reply With Quote Quote  

  7. The ceiling is glass. PJ_Sneakers's Avatar
    Join Date
    Nov 2014
    Location
    169.254.0.1
    Posts
    759

    Certifications
    AccessData, Cellebrite, CompTIA, EC-Council, IACRB, (ISC)˛, Microsoft, MSAB
    #6
    Since you have no IT background at all and you are actually walking into a position, I would glance over CompTIA A+ to get acclimated, and then look into CompTIA Network+ to get familiar with how networking works because networking is really the backbone of IT. It doesn't matter if it's an iPad, a Windows PC, a Xerox multifunction printer/copier, or a Mac Pro, they all have to connect to a network to be useful to an enterprise.

    You probably don't have to dive in so deep that you get Network+ certified, but the knowledge will help you with Security+ because it will test your understanding of how computers communicate (such as routing through a network to a firewall and out to the Internet). I would look at getting Security+ certified, especially since you don't have the CISA prerequisites yet. Security+ is actually pretty good stuff; I think it should be mandatory for IT staff but that's just me.
    Last edited by PJ_Sneakers; 06-21-2016 at 02:32 PM.
    Reply With Quote Quote  

  8. Senior Member
    Join Date
    Feb 2015
    Location
    The Interwebs
    Posts
    144

    Certifications
    PMP, CISSP, CISA
    #7
    Echoing what others have said: Security+ is a great foundation and should give you a lot of good information to use in your daily duties.

    CISA can be done a little later; I found that having IT auditing experience definitely helps prepare you for the CISA and by the time you get 1+ years of experience in IT audit your firm will likely start angling your progression goals towards CISA but is not something you need to have with 0 years of experience--I think the sec+ will help connect a lot of the terminology and general practices together that you can use right away.
    Reply With Quote Quote  

  9. Shrub Diver Raystafarian's Avatar
    Join Date
    Aug 2013
    Location
    San Antonio, TX, US
    Posts
    86

    Certifications
    CISM, CISA, ITIL-f 2011, MSOS Excel 2010
    #8
    You have no experience in IT, but how much experience do you have in audit?
    Reply With Quote Quote  

  10. Junior Member
    Join Date
    Jun 2016
    Posts
    11
    #9
    I have 2 years in auditing, but it's more inclined towards financial audits, and less on operational audits. I do have a CPA though.
    Reply With Quote Quote  

  11. Senior Member
    Join Date
    Mar 2011
    Location
    Chicago
    Posts
    1,281

    Certifications
    CISSP-ISSAP, HCISPP GPEN, GSEC, GSNA, GCIH, E|CH, ECSA, Security+
    #10
    Not so much a certification but I highly recommend looking into The Great Courses: Argumentation. First. Its a course I think everyone should take, particularly auditors as your going to become tired of people basically lying to you. This will help you sift through some of the social garbage people will tell you in the course of gathering evidence. Every administrator believes their own garbage about "telling the auditor what they want to know..." So learning how people set up arguments both good and bad will help you throughout your career.

    Coursera may have some other smaller courses and certifications related to your audit career that also may be of interest if it relates to whom your auditing. Later on these two companies make submitting CPEs and CEUs a breeze - particularly for non direct requirements like the CISSP. Argumentation alone satisfies three years of requirements in one course.

    Check out Cybrary and YouTube for more courseware that may or may not be related to audit.

    Look beyond just certs there is a ton of free courseware out there for you to improve your career.

    Audit is by far the best place to start an InfoSec career, by the way.

    - b/eads
    Reply With Quote Quote  

  12. Senior Member
    Join Date
    Nov 2011
    Posts
    810
    #11
    • A bachelor's or master's degree from a university that enforces the ISACA-sponsored Model Curricula can be substituted for 1 year of experience. To view a list of these schools, please visit www.isaca.org/modeluniversities. This option cannot be used if 3 years of experience substitution and educational waiver have already been claimed.
    If you have a bachelors, plus the experience should allow you to sit for it.
    Reply With Quote Quote  

  13. Senior Member
    Join Date
    May 2016
    Posts
    1,632

    Certifications
    70-461, ITIL V3 F, ITIL OSA, ITIL ST
    #12
    CISA seems to make sense.
    Reply With Quote Quote  

  14. Senior Member
    Join Date
    Mar 2011
    Location
    Chicago
    Posts
    1,281

    Certifications
    CISSP-ISSAP, HCISPP GPEN, GSEC, GSNA, GCIH, E|CH, ECSA, Security+
    #13
    @Remedymp

    Feydrax is indicating that he's a fresher and about to start his audit career so shockingly he's trying to do things right. He has not IT audit background but a CPA. Good news is InfoSec and audit in particular is largely based on IACPA financial controls back in the mid 1960s.

    Yes, back before 2000 IT security, if it existed, worked for a CPA and likely the CFO - not IT, MIS or DP.

    - b/eads
    Reply With Quote Quote  

  15. Junior Member
    Join Date
    Jun 2016
    Posts
    11
    #14
    Quote Originally Posted by beads View Post
    @Remedymp

    Feydrax is indicating that he's a fresher and about to start his audit career so shockingly he's trying to do things right. He has not IT audit background but a CPA. Good news is InfoSec and audit in particular is largely based on IACPA financial controls back in the mid 1960s.

    Yes, back before 2000 IT security, if it existed, worked for a CPA and likely the CFO - not IT, MIS or DP.

    - b/eads
    @beads

    Interestingly I find your answer to be the most relevant to me!

    TBH I'm not in a particular rush to acquire any certification, as the firm will be funding me on the relevant certifications.

    The recommendations in favor of Security+ have been helpful, and I've just read through the index of the syllabus, it certainly looks like a good introductory material for someone like me.

    I'm looking for avenues to gain the relevant knowledge make myself relevant to the job scope, and I find your answer to be very practical and suitable for me!

    If financial controls are still relevant, I guess that gives me some level of comfort. At least I have something to offer.

    P/S : the word "shockingly" gave me a chuckle, I've been trying to make this jump to IT audit for a while, from Financial Audit > Finance Analyst > Finance Application Support > IT audit. I was actually expecting to spend some time in the support role and do some self study, but this firm is actually willing to invest in me for the IT audit role. That's why I'm totally caught by surprise.
    Reply With Quote Quote  

  16. Junior Member
    Join Date
    Jun 2016
    Posts
    11
    #15
    Quick update

    I actually went ahead and took CISA, and I passed!!! However, passing CISA doesn't really give me that much of a confidence I guess the lacking in technical is still a problem for me
    Reply With Quote Quote  

  17. Senior Member adrenaline19's Avatar
    Join Date
    Dec 2015
    Posts
    248
    #16
    Sec+ is a good certificate and a good start to the process. I'd also recommend setting up a test environment at home and just playing around in it. Test things out, play around, see what happens when you type random **** onto a command line. Figuring out how to fix stuff you broke is the best learning experience possible.

    Once you get started, you'll figure out what you want to learn next.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks