I have been recruiting exclusively in the IT/audit world for about 20 years, and I have watched the evolution of the Certified Information Systems Auditor (CISA) certification with great interest. I believe there were about 25,000 CISAs in 2001—the fact that it has quadrupled in just over a decade is clearly impressive.
A decade ago my clients considered CISA a “nice to have.” Today it is often a hard-and-fast requirement. The Sarbanes-Oxley avalanche magnified the value of CISA, as new professionals flocked to the field and CISA distinguished those who not only had mastered the body of knowledge, but also showed dedication to the field and a commitment to professional development. As the focus on SOX has ebbed, CISA has continued to elevate in status and is better recognized and respected not only by audit leaders, but also by IT and business leaders whose domains rely on IT risk and control professionals for assurance.
While we celebrate the 35th anniversary of CISA this year, I expect demand for the certification to continue growing. Budgets are finally replenishing as the economy continues to improve, and I am seeing my clients create “expansion positions” at the strongest clip since the recession. Many IT audit groups that have been understaffed (“doing more with less”…a phrase we are all tired of hearing) are finally getting the reinforcements they have been asking for.
Even in the depth of the recession—around 2009—demand for auditors slowed, of course, but IT audit always outperforms the general employment market in terms of stability, mobility and salary. Those who were CISA-certified during the recession had a clear edge over those who were not when competing for attractive openings.
Based on the heavy and continually increasing volume of requests my firm is now receiving for assistance, I would put current demand at three times what it was three or four years ago. In all of my primary markets in the eastern United States, the list of major companies NOT specifically looking to hire a CISA professional is much shorter than the list of those who are.
I have clients across varied industries and I see a healthy demand in every sector. The most drastic industry-related spike I have seen is in financial services. I am not sure whether this is just from pent-up demand being satisfied now that budgets are back, or in anticipation of an increased need for the CISA skillset to address forthcoming additional regulatory-compliance requirements. Either way, I am not surprised, as the financial-services industry has always led other fields in employing CISAs in both audit and non-audit capacities.
Demand is steady, but there are changes taking place. The most interesting development I am seeing in the market is a resurgence of interest in CISAs for non-audit roles, such as IT risk management, IT compliance and IT controls analysts. Many of these roles are positioned within IT, as more IT leaders understand the value of having a CISA on their payroll to coordinate with multiple IT controls stakeholders (internal auditors, external auditors, regulators, etc.). CISAs are also prized as project managers during the implementation of IT control solutions.
The bottom line is that anyone who is committed to a career in the broader world of IT assurance—whether in an audit, compliance, governance or risk management capacity—should consider the CISA a must-have.
Let me put it like this…one of the first things I ask new candidates is “Do you have the CISA?” If not, I want to know why not. If not, I ask, “When do you plan to get it?”
Owner, Duval Search Associates
Continue the conversation…engage with your peers in the Audit Standards topic in ISACA’s Knowledge Center.
Editor's Note: ISACA's other credentials are making headlines as well. Last night, the CRISC certification won the SC Magazine Award for Best Professional Certification Program. Find details here.