Certified Information Technology Auditor (CITA):

An information technology audit, or information systems audit, is an examination of the management controls within an Information technology (IT) infrastructure. The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization’s goals or objectives. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement.

IT audits are also known as “automated data processing (ADP) audits” and “computer audits”. They were formerly called “electronic data processing (EDP) audits”.

The CITA designation is a globally recognized certification designed by the Institute of Certified Internal Auditors ( ICIA-PAKISTAN) for IT audit control, assurance and security professionals. Being CITA-certified showcases your audit experience, skills and knowledge, and demonstrates you are capable to assess vulnerabilities, report on compliance and institute controls within the enterprise.

Certified Information Technology Auditor (CITA) is a globally recognized certification in the field of audit, control and security of information technology. CITA gained worldwide acceptance having uniform certification criteria, the certification has a high degree of visibility and recognition in the fields of IT security, IT audit, IT risk management and governance. Vacancies in the areas of IT security management, IT audit or IT risk management often ask for a CITA certification. The exam tends to be associated with a high failure rate. CITA is awarded by ICIA-PAKISTAN only.

The world unified CITA exams are conducted two times a year: in June and December. The exam is known to be difficult examination and having Three hours in length; the scoring is weighted depending on an predetermined value for each question with a passing score of 60% as the minimum. Some questions are purely for statistical purposes and do not affect the candidate’s score.

Difference between IT audit & financial System Audit:

An IT audit is different from a financial statement audit. While a financial audit’s purpose is to evaluate whether an organization is adhering to standard accounting practices, the purposes of an IT audit are to evaluate the system’s internal control design and effectiveness. This includes, but is not limited to, efficiency and security protocols, development processes, and IT governance or oversight. Installing controls are necessary but not sufficient to provide adequate security. People responsible for security must consider if the controls are installed as intended, if they are effective if any breach in security has occurred and if so, what actions can be done to prevent future breaches. These inquiries must be answered by independent and unbiased observers. These observers are performing the task of information systems auditing. In an Information Systems (IS) environment, an audit is an examination of information systems, their inputs, outputs, and processing.

The primary functions of an IT audit are to evaluate the systems that are in place to guard an organization’s information. Specifically, information technology audits are used to evaluate the organization’s ability to protect its information assets and to properly dispense information to authorized parties. The IT audit aims to evaluate the following:

Will the organization’s computer systems be available for the business at all times when required? (Known as availability) Will the information in the systems be disclosed only to authorize users? (Known as security and confidentiality) Will the information provided by the system always be accurate, reliable, and timely? (Measures the integrity) In this way, the audit hopes to assess the risk to the company’s valuable asset (its information) and establish methods of minimizing those risks.

Additional requirements:

As well as passing the exam, candidates must also pass the following requirements:

  • The candidate must provide evidence of at least two years of professional experience. Related work experience or relevant higher education programs can provide credit against this.
  • The candidate has to comply with the auditing standards of ICIA-PAKISTAN in the exercise of audits and adhere to the ICIA-PAKISTAN Code of Professional Ethics.
  • After obtaining the CITA certification 20 hours of training must be documented per year and at least 120 in a three-year period to retain certification.

The seven areas of expertise are:

  • Information Systems (IS) audit process
  • IT Governance
  • Systems and Infrastructure Lifecycle Management
  • IT Service Delivery and Support
  • Protection of Information Assets
  • Business Continuity and Disaster Recovery
  • Information System security.

If the candidate has enough related experience, passes the exam and signs the code, he or she will receive the certification; maintenance of the certification, however, requires that practitioners gain Continuing Professional Education credits so that their skills remain relevant to their field.