You need 5 years of IT audit experience for CISA. Whether you work those 5 years completely or you qualify for waivers to shorten that time by 1, 2, or 3 years (depending on which waiver you qualify for), you will have invested time and effort towards the cert. You cannot be CISA certified without proving that experience on your application. Your employer needs to sign and verify it. You can sit the exam at any time, but you won't have CISA until you complete all of your requirements and your application is accepted. Read the application for details. The only certifying body for CISA is ISACA. You can take any training course marketed and sold by others, but the exam is through ISACA, the application and maintenance fees are paid to ISACA, the CPEs to maintain it are submitted to ISACA. ISACA offers its own materials and training at cost. CISA is not a one and done cert. It must be maintained annually via maintenance fees and minimum requirements for CPEs (resetting on a 3-year cycle). If you want to know if your current work applies to CISA, read all of the CISA job practice areas. You need experience in at least one of the 5 to qualify for CISA. They have been updated for 2024: https://www.isaca.org/credentialing/cisa/cisa-exam-content-outline Many start in audit but fewer remain long term. Firms snatch up young people right out of college, train them well, send them out into the field to practice. Usually, they begin as accountants that favored prospects in IT audit over financial audit, but not always. The problem is they have no real IT or work experience and often have no clue how a business operates. They stay because benefits are good, pay is reasonably good, there is steady career progression, and they don't want to start a career from scratch again. This is not the case for all, but many. Firms work them to the ground until they burn out. I can say this because I have mentored the burnouts (once they land the next job) to prepare for their future in audit, if they desire one, or encourage them to find a different industry. We are inundated with young, keen, green auditors that probably shouldn't be in audit at all. What the CISA was intended for and how it tends to be used and advertised in and outside of ISACA are two different things. CISA focuses on IT audit. It is intended for those already working in IT audit who want to continue and gain an early career credential that is recognized by the industry and by clients or employers that want their Auditor to have enough experience and "street credit" to know their stuff and apply it. The CISA can be earned while you gain your experience. It was not intended to be a prerequisite to EARLY (emphasis) employment. It is more expected when you have an established audit career, hence the 5 year experience requirement. Plenty of firms hire associates with little experience and with the intention of supporting them until they earn CISA. The big 4 do this, smaller firms do this, etc. Will having CISA give you a boost when looking for your next job? Yes, absolutely, if it is in a related field. CISA is also used to show foundational knowledge of GRC for more technical folks that are aiming for management, since they will no doubt be owners of systems/controls and need to have an understanding and ability to communicate with auditors or ensure their company is meeting compliance requirements, etc. It's a means to a specific end for them and is what floods the industry with a purpose-built cert that ultimately loses its value overall. This is what has happened with CISSP to some extent. I am not talking about folks who pivot fully to GRC from established technical careers. That's an intentional change in career after a period of time and makes sense. You only need experience in one of the 5 job practice areas for CISA, which barely scratches the surface of GRC and is not hard to achieve if you are already in IT. Add to that the ability to cut down the experience requirement with waivers, and you can see why many more will obtain CISA than should. This is my opinion after 12 years in audit (second career) and others may disagree with me. I tell anyone thinking of CISA to think about whether it's the best cert for them. If you plan to stay in audit for sure, get CISA. CISA can open more doors to GRC roles as your career progress. If you aren't ready to know if you want to audit, wait and work. Give it 2-3 years of audit work and then revisit if audit is for you (it's not for everyone). If you just want CISA as something to clip to your belt like a Pokémon ball, with no intention of staying in GRC, I urge reconsideration. In that case, CISA is probably not right for you and there's likely a better cert for you to invest time and effort in. Meanwhile, you can study all the job practice areas, plus the applicable laws, standards, regs, frameworks, etc., in your spare time just like auditors are expected to do, but without having to commit to something that has to be maintained with money and CPEs annually. More on reddit.com

Just my opinion but IT Audit is generally one of the easiest position to get in due to high turnover rate. The work is relentless, the hours are demanding and the job is… mundane and repetitive. More on reddit.com

My experience and opinion, for what it's worth: You do not need a technical background or deep technical knowledge, but it can help. You must be willing to learn how the technology works and stay abreast of new and emerging technologies. If you have the ability to shadow implementors, then take advantage and learn. If you can find a mentor or mentors to bounce audit and compliance questions off of, then take advantage of that, too. Take some training courses in areas where you are weak. Having an investigative mindset and the willingness to validate what you are told with evidence, observation, and testing is a must, and that requires that you know what to look and ask for. A lot of this can be taught and trained, but what cannot be taught easily is critical thinking, which can be rarer for me to see in younger folks trying IT Audit for the first time. I think that when you start audit right out of school, there is a lot of business context that you miss by not working in industry some first. You need to have an understanding of how an organization operates, it's moving pieces, departments, structure, strategic goals, etc. My opinion is, anyone can train in audit subjects, but training alone isn't going to help you to speak with subject matter experts and gain their buy-in. Depending on whether you are looking to audit against a specific framework or a range, you should familiarize yourself with the most common (NIST, ISO, etc). There are to many for me to list but right now most of my work focuses on NIST Cybersecurity Framework (CSF), CIS v8, ISO 27001, various privacy laws (GDPR, CCPA, MA Priv, etc). There are many implementation guides available online that should help. COVID put a stop to many conferences and events, but when they open again, try to attend some in person. The virtual events are not going to help with networking as much as real in person interaction. I am in my 40s and have been a "second career" IT auditor for 9 years (16 so far in IT, now with a focus on cybersecurity). I have a number of credentials including CISA and CISM and a Masters in Computer Information Systems. Before that I did a variety of other things: business analyst, software QA, web design, advised merchants on PCI DSS in the late 2000s. I had almost no networking experience or exposure when I began and no accounting background. Just a love and interest in tech. Apart from formal training required for my credentials and support from other auditors, I am mostly self taught and I self funded my education and certs (which I know is not always possible for some). I did this slowly while working and while juggling family life. I would train in areas where I lacked sufficient understanding (and I still am). Learning should never stop. I have trained junior workforce in Sarbanes-Oxley testing but I haven't been able to do that lately and miss the valuable perspectives of the younger generations. I am kind of a lone wolf at present (resource issues) and I think that soon I might start my own consulting so that I can get back a bit more work-life balance. Your milage will no doubt vary. There is no cookie cutter spec for an IT Auditor IMO, nor should there be. I think that keenness to learn is one of the biggest things you can bring to the table. Don't be afraid to make mistakes. It's the only way that I know how to learn. Last thing, you'll need to have 5 years of IT Audit experience to apply for CISA, whether from work alone or with a waiver from your degree (if it applies). You can take the exam any time, but I'd suggest at least 2 years of audit before you try, unless you just want to try it to see how it goes (and if the cost isn't an issue). Good luck! More on reddit.com

Dont think too much about it. No one is going to dig in your work experience . Just add your work experiences, add a person as reference (they will email this person to confirm your working experience) and that's it. They don't dig too much into it. More on reddit.com