IT auditor

IT auditor certifications

Greg Belding
June 12, 2019 by
Greg Belding

Whenever you want to move to a new position in life, whether it be professionally speaking or otherwise, it’s natural to want to get a leg up on the competition. One of the rising stars of the IT career field is IT auditor, and it is no exception to this rule of competition.

Certifications are a great way to stand apart from the crowd as an IT auditor, and this article will help you find out what you need to know about IT auditor certifications.

ChatGPT: Self-paced technical training

ChatGPT: Self-paced technical training

Take our introductory training to teach you how to securely use ChatGPT to investigate SOC & Incident response issues. Book a meeting with our team to learn more.

IT auditor job description

IT auditors are responsible for analyzing an organization’s IT systems, applications and processes to ensure that they meet the organization’s operational, legal and governance needs. IT auditors also determine whether any security risks or other inefficiencies exist within organization IT systems.

IT auditor certification requirements

Technically speaking, certifications are not required for IT auditor jobs unless the organization requests it. Despite this, earning certifications towards an IT auditor role can go miles towards your career goals. The IT auditor field is competitive, and while you may not be required to hold a certification, you might as well assume that your competition has them. Going above and beyond by earning at least one certification will leave you no worse than your competition — and don’t we all want an even playing field?

IT auditor certifications

There are several IT auditor certifications you can choose to earn, and you may want to earn as many as possible to improve your resume. Of course you know what you know, but organizations prefer as much verification as possible, and certifications verify your skills like none other.

The following is a comprehensive summary of the relevant certifications for the IT auditor role.


Hosted by ISACA, the Certified Information Systems Auditor certification (CISA) is considered the gold standard certification in IT auditing by the Institute of Internal Auditors. This is the oldest and perhaps most recognized of all IT auditor certifications, and it may be valuable for your career as well.

What does CISA cover?

CISA is directed at IT auditing and covers the following five domains of knowledge:

  • Domain 1 — The Process of Auditing Information Systems: Providing IT auditing services to assist with protecting and controlling organization information systems according to IT auditing standards
  • Domain 2 — Governance and Management of IT: To ensure that required organization and leadership structures and internal processes are in place, in order to accomplish an organization’s objects and to support its strategies
  • Domain 3 — Information Systems Acquisition, Development and Implementation: To ensure that internal practices for the development, acquisition, testing and implementation of organization information systems achieves its objectives and meets its strategies
  • Domain 4 — Information Systems Operations, Maintenance and Support: To assure that organization processes for the operation, maintenance and support of its information systems achieve its objectives and meet its strategies
  • Domain 5 — Protection of Information Assets: To assure that the security policies, procedures, standards and controls of the organization ensure confidentiality, availability and integrity of its information assets

CISA exam requirements

Experience prerequisites must be earned before the certification is awarded. However, many choose to take the exam before they have satisfied this requirement. CISA’s experience requirement is a minimum of five years of professional information systems auditing, security or control work experience. ISACA offers some exceptions to this rule, which can be found here.

Continuing qualification requirements

After you take and pass this notoriously difficult exam, you still have to satisfy certain continuing requirements. These are:

  • Adherence to the Code of Professional Ethics
  • Adherence to CISA’s Continuing Professional Education Program (CPE) — a minimum of 20 contact hours of CPE, plus a maintenance fee, is required annually and a minimum of 120 contact hours during a fixed three-year period. Further details can be found here
  • Compliance with Information System Auditing Standards

CISA exam specifics

  • Bachelor’s or master’s degree in a related field is required
  • 150 multiple choice questions
  • You have a maximum of 4 hours to complete the exam
  • Scoring — scaled scores of 200 to 800 are possible, with a minimum passing scaled score being 450
  • CISA must be renewed annually with an additional three-year CPE renewal requirement


GIAC Systems and Network Auditor, or GSNA, is a certification offered by GIAC. This certification verifies that the certification holder has the skills, knowledge and technical abilities to properly apply risk analysis techniques and to conduct an audit of an organization’s essential information systems.

What does GSNA cover?

This exam covers five objectives, which are:

  • Auditing Concepts & Methodology
  • Auditing Networking Devices & Services
  • Auditing Unix Systems
  • Auditing Windows Systems
  • Web Application Security

GSNA exam requirements

There are no prerequisites or training required for this certification exam.

Continuing qualification requirements

Those looking to renew their GSNA can achieve this a couple of different ways — either retaking the current version of the GSNA exam with a passing score, earning 36 continuing maintenance units (CMU) by attending approved training session or by publishing a technical research paper and paying a renewal fee.

GSNA exam specifics

  • 115 multiple choice questions
  • You will have three hours to complete the exam
  • You need a minimum score of 73% to pass
  • Must be renewed every four years
  • Pay an exam fee


Hosted by the Institute of Internal Auditors, the Certified Internal Auditor certification (CIA) is the sole globally recognized internal audit certification on the market today. Despite being an internal auditor certification, it is also intended for IT auditors.

What does CIA cover?

The CIA exam covers four main areas. These areas are:

  • Internal Audit Activity’s role in governance, risk and control
  • Conducting the internal audit engagement
  • Business analysis and information technology
  • Business management skills

CIA exam requirements

There are some prerequisites to taking the CIA certification exam. These are:

  • Education: You must have obtained a bachelor’s degree (or two years of post-secondary school and five years of experience as an internal auditor, or seven years of experience)
  • Experience: You are required to have 24 months of verified experience as an internal auditor, or 12 months of experience if you have a master’s degree
  • Character reference: Either signed by a CISA, CGAP, CFSA, CRMA or a supervisor

Continuing qualification requirements

CIA requires a yearly reporting of CPE hours and there are different requirements for different certification statuses. For example, an active practicing CIA professional must report 40 CPE contact hours annually. CPE requirements for other certification statuses can be found here.

CIA exam specifics

  • 180 multiple choice questions
  • You will have five hours to pass the exam
  • You will have to earn a score of 70% to pass
  • Pay an exam fee


Becoming certified is a great way to improve your competitiveness in the information security field, and the IT auditor role is no exception. There are three major certifications aimed at IT auditors and whether you earn one of the above or all three, you will find you that you are at once competitive within the field and that your skills are more verifiable than any job description on a resume can prove.

ChatGPT: Self-paced technical training

ChatGPT: Self-paced technical training

Take our introductory training to teach you how to securely use ChatGPT to investigate SOC & Incident response issues. Book a meeting with our team to learn more.


Greg Belding
Greg Belding

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.