Are you looking for more CISA salary info? If you’re curious about how much money you could make as a certified CISA, then this is the post for you. As technology grows in our society, the need for people with the skills to handle tech issues becomes greater. This includes people who know how to handle the security of the tech data that is growing at an alarming rate today.
This means the demand for CISA professionals is even higher than ever. Certified Information Systems Auditor (CISA) is a certification issued by ISACA for the people in charge of ensuring that an organization’s IT and business systems are monitored, managed and protected. This certification is held by people with titles such as IT auditor, audit manager, consultants and other security professionals.
I will talk more about the types of job titles a CISA can hold later, but for now, let’s get into the types of salaries you can expect when you hold a CISA certification. Not surprisingly, you can expect a decent salary for such an important tech position. Let’s put some numbers on it.
Robert Half publishes an annual salary guide for accountants and audits full of useful information. I would like to present the details on IT audit salary, together with the premium if you get a CISA certification.
What kind of salary can you expect to bring in if you take the time and money investment to get CISA certified? The average salary range for a professional holding the CISA certification ranges approximately from $52,459 to $122,326. That’s a wide range, so if you’re asking, “How much does a CISA make?” let’s dig into it a bit more.
Typically, with enough work experience to qualify for your CISA certification, you’d be in the $90-100K range. Again, it can vary a lot, depending on what geographical area you’re in, how many years of experience you have, and what company you work for. Even your exact job title can make a difference in how much salary you bring in. The $50-60K range is the low-end of the spectrum and usually for people brand new to their CISA and also brand new to the position they are working in.
It’s also easy to move up fast and get promotions more quickly with your CISA. We’ll talk more about that later, but people who hold the certification will qualify for raises and promotions within their job positions more quickly than other employees.
From 2015 to 2016, the IT audit profession has seen a respectable 5% increase in salary across levels, and across the size of companies. This is in line with the general internal audit profession. Some areas have seen more shifts from 2016 to 2021, due to normal inflation and more growth in the industry. Below are two charts that show the growth and trends in both large and medium-sized companies in terms of CISA salary.
Growth in Large Companies
By large, it means companies with revenue of $250 million every year:
Growth in Medium-Sized Companies
By medium, it refers to those with revenue between $25 and $250 million:
According to this recent IIA salary report, the 236 survey respondents with a CISA certification have an average salary of $105K, versus $65K for those without certification. This staggering statistic shows that the certification can make a huge difference in how much you get paid annually. What it doesn’t show, is that it also opens you up to positions you may not have been qualified for without the certification. But, more on that later.
This is only a rough comparison as they are many factors involved, including the number of years in the field, education level and type of companies they work for. But overall, the 61% premium is a big enough incentive for you to take the CISA certification seriously.
So, how much money do you stand to make if you get your CISA certification? We’ve covered the raw numbers of CISA salary in the previous sections, but I want to break it down a bit more for you. There was a wide range of potential salaries for CISA certification holders, so how can you know where you might fall in that spectrum?
While earnings will vary by past experience and location, the average salary for CISA-certified professionals ranges from $52,459 to $122,325 per year. This is broken down here in this chart:
|IT Audit Salary
|General Internal Audit Salary
|$63,000 – $74,000
|$52,000 – $67,000
|$71,000 – $100,000
|$60,000 – $87,000
|$91,000 – $132,000
|$78,000 – $111,000
|$108,000 – $166,000
|$92,000 – $151,000
Source: Robert Half
Let’s see this in more detail. The following salary analysis is based on Robert Half’s latest salary report on IT audit.
Entry-level IT auditors joining in their first year can make from $63,000 to $79,000 in large companies and $57,000 to $74,000 in medium-sized companies.
The premium of working in bigger companies is 8%.
Those with 1-3 years of relevant experience can see salaries of $75,000 to $100,000 in large companies, and $71,000 to $92,000 in medium-sized companies. The premium of working in larger firms remains to be 8%.
The jump from first-years to junior positions leads to a 19-28% salary increase. This could really be worth it if you want to stay in this niche.
By the time you become senior IT Auditor, you can expect a salary range of $100,000 to $132,000 in large companies, and $91,000 to $114,000 in medium-sized companies.
The jump from junior to senior auditor is more significant this time at 24-33%. You can definitely see how it pays off over time and with commitment.
IT Audit Managers get, on average, $116,000 to $166,000 if working in a large company, and $108,000 to $148,000 in medium-sized company.
The jump from senior to manager is around 17-30%. This is still a good increase in salary.
You may want to check out our comprehensive page on IT audit salary and career path to learn even more. For now, let’s go over some basics.
CISA is not just for IT auditors (although it is for them, too). Here is a full list of jobs you can get with a CISA certification:
It’s one thing to see a list of job titles, but it’s another to understand what that actually means. What kind of job tasks might you need to perform if you are an internal auditor, for example? In short, IT auditors will look at the total accounting and information systems within a company. They will determine if the controls of the system are strong enough and also if external auditors can rely on the output of the system.
To compare it to financial audit, it usually relies less on actual accounting knowledge and more on information system knowledge. However, it is not exactly computer science. As a Junior IT, here’s what a typical day might look like:
As an IT manager, your first initial audit is typically the hardest, and then you have to figure out how to test controls and how all the systems will fit together. Once you’ve laid this initial foundation, each year’s work after that is just building on it. If there are changes to application processes, for example, you figure those changes in and do a revised testing strategy.
As an internal auditor, or anyone in any of the job titles that may hold a CISA certification, you’re going to work long hours. This is fairly standard across the board for anyone in public accounting. However, IT auditors usually see slightly better hours than financial auditors, based on the type of work they do. Usually, they will work 50-55 hours a week during the busy season.
The hours are usually built with an 8:00-9: 00 am start time to a 5:00-6: 00 p.m. stop time, depending on where you work. If the firm is understaffed, you could expect to see longer hours during the week, and you might even be asked to work weekends, especially during the busy season.
You can also expect some travel in your schedule as an IT auditor. When you do travel, it’s usually only for one or two weeks. The work of an internal auditor is less extensive than that of an external audit team. It also tends to be less stressful because you’re not working under the same hard deadlines.
How many clients might you expect to have at one time? It’s typical for an IT auditor to have between 5-7 clients at a time. This is far more than financial auditors who typically only have 1-2 clients at a time. That might sound like a lot to juggle but since you’re doing very specific work for each, it’s not so bad. Also, you will typically do the work in 102 weeks and then move on to the next, so there is rotation in it.
You know that you’re going to have to pay a lot of money for the CISA exam and certification from the start. If you look at the salaries above, it seems it would be worth it, however.
So, while it may cost you up to $1600 in exam fees, plus the costs of study materials before then, you will recoup those costs in your first year of working as a certified CISA.
Any time you look at certification courses like this, know that they are an investment in your career. Therefore, it’s an investment in your future as well. You cannot get a top level job this field without having passed the exam. CISA has even stricter requirements for the entire certification process, apart from the exam itself.
Does all of this sound like a good career move to you? Well then, how do you become CISA certified? Here’s a breakdown:
You may be surprised to know, but there is no prerequisite to take this exam. As long as you believe that the CISA exam is useful for your career, go ahead. There are work experiences required, which we cover in step 3.
This is a pencil-and-paper exam that is offered three times each year. It is a 4-hour exam consisting of 200 questions in multiple choice format. Anyone can take the exam as long as they pay the registration fees.
In terms of CISA syllabus, there are 5 domains surrounding the role and responsibility of IT auditors. Theories are tested but, in general, if you are a practicing IT auditor, it is relatively easy.
The CISA passing rate is around 50%. Successful candidates can work towards the experience requirements and apply for the certificate. If you already have the work experience, you can test and then apply for the certificate right away.
This is actually the stricter part of the CISA certification process, as mentioned above. You need to have at least 5 years of experience in information system auditing, control or security.
The work experience must be gained within 10 years preceding the application date, or within 5 years from the date of passing the exam.
However, there are various ways to obtain waivers.
You can maintain its active status by paying the maintenance fees and fulfilling the CPE requirements. You’ll need to have at least 20 contact hours per year, and 120 contact hours within a fixed 3-year period.
There is a wide range of IT audit salary depending on your level and the company you work for. As your role involves more supervision and responsibility, the compensation increases considerably.
Also, as big companies tend to have a more complex structure, businesses and transactions, they are willing to pay more to attract talents. This is something you may consider in future career path. Would you be willing to work for a bigger company in exchange for the bigger salary?
Lastly, consider getting the CISA (or CIA) certification as soon as you can, in order to take advantage of the big premium in salary level. You can get more information in our CISA FAQ page. Is there anything else you want to know not covered here? Let us know in the comments.
I am the author of How to Pass The CPA Exam (published by Wiley) and the publisher of this and several accounting professional exam prep sites.