Professional development

Information Security (IS) Auditor Salary and Job Prospects [Updated 2021]

Ravi Das
December 16, 2020 by
Ravi Das


Businesses and corporations have to make sure that their lines of defense are beefed up on a daily basis. If there is just one tiny crack in the IT infrastructure, the cyber-attacker can find his or her way in very quickly and exploit all vulnerabilities and weaknesses to their advantage. Therefore, all systems need to be checked on a routine basis in order to help to make sure that this does not happen, as far as possible.

This is where the role of the information system auditor comes into play. In this article, we examine both the job outlook and the salary prospects for this role.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

What Are the Specific Duties of an IS Auditor?

The role of the IS auditor is to assess the strengths and weaknesses of the IS Infrastructure from within the organization. The specific job functions include the following:

  • Assessing the risks and controls that are associated with the IS assets of a business entity
  • Identifying the specific weaknesses of an IS system’s network
  • Planning and executing of various types and kinds of internal audit procedures
  • Creating and developing internal audit reports for the management team and the C-levels executives of a business or a corporation
  • Maintaining thorough and complete IS audit documentation sets
  • Create a set of best standards which can be used to conduct risk assessment studies
  • Making sure that previous resolutions to previous IT audit issues have been implemented
  • Developing the entire IS audit program for an organization
  • Collaborating with other business units (primarily those of finance and accounting) in order to develop a succinct list of IS audit inputs that can be used for processing
  • The creation and the development of IS audit test plans.

As one can see from this list, the role of the IS auditor is very integral in maintaining a strong IT security posture for the business. Because of this, the job prospects of this role will remain strong in the coming years.

The Job Prospects of the IS Auditor

There are a number of key reasons why the job prospects for an IS auditor will continue to remain good for quite some time to come:

  • As described previously, a huge catalyst is the quickly changing dynamics of the cyber-threat landscape. Business entities are always struggling keep their internal IT controls up to date and in compliance with the latest federal regulations and requirements
  • There are many new kinds of innovations that are coming out today, especially that of the Internet of Things (IoT). Because of this, newer types of IT controls have to be implemented in order to ensure that the connectivity of the objects in both the physical and the virtual world are intact, and remain as secure as possible
  • Recent global-based merger and acquisition activity means that separate IT infrastructures are now coming together as one cohesive unit. Because of this, thorough IT audits have to be conducted in order to ensure that controls from one system will be interoperable with the controls from the other systems
  • Overall, the pay range for an IS auditor ranges anywhere from $46,250 (for entry-level positions) all the way up to $175,250 for the most senior positions (such as that of the Chief Audit Executive). However, there are multiple factors that can impact the salary of an IS auditor, and of the prime ones is if he or she possesses any related certifications

An Overview of the Certified Information Systems Auditor (CISA)

The CISA certificate is offered by ISACA. In order to qualify to take the exam, the IS auditor must have at least five years of professional work experience, with the following substitutions being permitted:

  • One year of IT experience can substitute for one year of IT audit experience
  • 60 college credit hours can substitute for one year of IT audit experience
  • 120 college credit hours can substitute for two years of IT audit experience
  • Two years of full-time teaching at a university can substitute for one year of IT audit experience.

There are five domains that are associated with the CISA, and are displayed in the matrix below:

Domain Percentage Covered on the Exam

Domain 1: The Process of Auditing Information Systems 21% of exam questions

Domain 2: Governance and Management of IT 16% of exam questions

Domain 3: Information Systems Acquisition, Development and Implementation 18% of exam questions

Domain 4: Information Systems Operations, Maintenance and Service Management 20% of exam questions

Domain 5: Protection of Information Assets 25% of exam questions

The CISA exam consists of 150 multiple-choice questions, and in order to pass it, the candidate must receive a scaled score of at least 450 (with the range being 200 to 800) within a four-hour time limit. The cost of taking the CISA exam is $760.00 (for non-ISACA members) and $575.00 (for ISACA members).

IS Auditor Job Titles and Salaries

The following matrix examines the salary levels of an IS auditor, based on job title:

Job Title Salary Range

Entry-Level Information Technology Auditor $52,125 - $85,552

Mid-Level Information Technology Auditor $58,337 - $97,423

Senior Information Technology (IT) Auditor $68,000 - $108,891

Information Systems Audit Manager $84,329 - $130,853

Internal Audit Director $90,000- $183,000

Internal Auditing Manager $70,000 - $124,265

(SOURCES: 1, 2, 3, 4, 5, 6)

Further examination of this data reveals that the titles that command the highest salaries are those of Manager+. It appears that the highest level of title that an IS auditor can achieve is that of a director, which would correspond with the highest level of income.

IS Auditor Salaries by Geographic Location

The following matrix examines the salary levels of an IS auditor, based geographic location in the United States:

City and State Salary Range

New York City, New York $76,320 - $145,505

Chicago, Illinois $63,978 - $127,288

Washington, District of Columbia $75,429 - $131,688

Dallas, Texas $65,414 - $119,036

Atlanta, Georgia $59,036 - $120,746


Based on further review of this data, it appears that the larger cities pay the highest levels of salary to an IS auditor. One can also conclude that the federal government is probably one of the largest employers of IS auditors, as an IT auditor can make the highest income in Washington, DC.



Overall, the job prospects for an IS auditor will remain quite strong in the coming years. After all, businesses and corporations do need highly-trained individuals in order to assess the weaknesses and vulnerabilities of an IT infrastructure and its associated controls.

For those IS auditors who aspire to reach the highest income level possible, possessing the following would be of great benefit:

  • At least 10 years of related work experience
  • Have an advanced degree in information technology
  • Have a job title of at least Manager, with the ability to climb up to the Director level
  • Have the CISA cert
  • Be located in a large city
  • Have a job with the federal government

Want to read more? Here's another article you might enjoy!

Key Elements of an Information Security Policy



Description of an IT Auditor, Chron

IT Auditor Responsibilities and Duties, Great Sample Resume

A Look Ahead: Internal Audit Hiring and Salary Trends, Robert Half

CISA: Certified Information Systems Auditor, Accountingverse

How to Become CISA Certified, ISACA

What is CISA Exam Like and Its Different Domains?,

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Salary information (1, 2, 3, 4, 5, 6, 7) from PayScale

Ravi Das
Ravi Das

Ravi is a Business Development Specialist for BiometricNews.Net, Inc., a technical communications and content marketing firm based out of Chicago, IL. The business was started in 2009, and has clients all over the world. Ravi’s primary area of expertise is Biometrics. In this regard, he has written and published two books through CRC Press. He is also a regular columnist for the Journal of Documents and Identity, a leading security publication based out of Amsterdam.

You can visit the company’s website at (or; and contact Ravi at