July 2003

IS/IT Certifications: Which Is the Right Choice?
By MaryAnne Atkinson

The accounting profession has a variety of licenses and certificates that attest to an individual’s ability to conduct financial statement audits, perform management accounting functions, conduct internal audits, and offer financial management services. The variety reflects the wide array of skills that accountants can possess and services they can provide. In the information technology (IT) and information systems (IS) area, three vendor-neutral certifications are available: Certified Information Technology Professional (CITP), Certified Information Systems Auditor (CISA), and Certified Information Systems Security Professional (CISSP).

Determining an individual’s level of technical expertise, however, presents a dilemma for potential users and providers of technology services. The nature of the IT field allows many individuals with no training or experience to call themselves “IT consultants” or “security specialists.” In addition, because of legal liability concerns, it is vital that IT consultants have proper training and sufficient knowledge for the services they provide. Certifications are a way to identify qualified consultants.

Niche Services

Creating a “niche” or a specialization can provide a variety of benefits, including the opportunity to—

For example, thousands of CPAs have enlisted in Peachtree Account Care and Intuit Advisor, enhancing their ability to become value-added resellers of accounting software. Other certifications attesting to specialized skills include Novell’s network certification and Microsoft’s various software certifications. For CPAs, however, a broad-based knowledge of IT and security issues is more important.

Three designations that attest to an individual’s understanding of a broad body of knowledge reflecting the type of expertise most suitable to CPAs
providing IT services are the CITP (citp.aicpa.org), CISA (www.isaca.org), and CISSP (www.isc2.org). While there are overlaps in the expertise required for these certifications, their usefulness for particular purposes varies.


The AICPA began offering the CITP certification on July 1, 2000; it is now held by approximately 500 individuals. The AICPA’s resource materials to help certified professionals market their skills include sample advertisements, a PowerPoint presentation, press releases, and other media advice.

Focus groups of business executives and IT professionals provided the AICPA with guidance on the body of knowledge necessary for the CITP certification. This knowledge base includes the following:

Requirements. Although the applicant must hold AICPA membership and a valid CPA certificate (for states that do offer certificates; New York does not), an active CPA license is not required. First, the CITP candidate completes an online assessment tool that evaluates IT-related business experience and lifelong learning. The candidate must accumulate at least 100 points in the preceding three years through a combination of business experience, lifelong learning, and a comprehensive examination.

The business experience requirement covers evaluative or management experience in an IT-related job, although teaching IT courses also earns these points. Each 800 hours on the job counts for 25 points; a minimum of 15 points and no more than 75 points from this area are counted toward the 100-point total.

Lifelong learning is the broadest area. At least 30 and no more than 70 points can come from this category. Continuing professional education (CPE) qualifies; 30 CPE credits equals 10 points. Time spent in on-the-job training is applicable, as is reading IT-related journals or books. Maintaining another IT-related certification also earns 10 points, and authors of published articles can receive a maximum of 15 points for this effort.

A candidate who has not accumulated sufficient points from business experience and lifelong learning may take a comprehensive examination, which is offered twice per year. Passing the exam adds 40 points to the candidate’s total.

Initial accreditation is for a three-year period; a $500 initial fee is followed by a $250 annual fee. Re-accreditation requires 100 points over each successive three-year period. As an AICPA member, a CITP must follow the Institute’s Code of Professional Conduct.

Candidates. The CITP provides evidence of a CPA’s technological skills. For accounting academics, many of which could be eligible, the CITP certification provides a way to show evidence of continuing professional development. Points can be earned by teaching college-level classes and CPE courses. Accounting students with IT experience may find the CITP a key step toward an accounting and technology career.


The CISA certification is awarded by the Information Systems Audit and Control Association and Foundation (ISACA). The organization was founded in 1969 and claims more than 22,000 current members in over 100 countries, including IS specialists in a wide range of functional areas. Demand for the CISA is at an all-time high, with more than 13,000 certificate holders.

The CISA certification is designed for professionals who audit information systems, but the certification would also be beneficial to individuals with an interest in auditing, control, and the security of information systems.

ISACA is partnering with the Canadian Institute of Chartered Accountants (CICA) to provide an IT-related certification. CPAs with the CISA credential also benefit from being associated with a globally recognized standard of achievement among IS audit, control, and security professionals and their employers.

The CISA credential has wider recognition than the AICPA’s CITP designation. Just like CITPs, however, CISAs must possess a broad base of IT knowledge.

The CISA certification examination tests five areas:

Requirements. The CISA examination is given annually in June, and may be taken in one of 10 languages. The fee is currently $395 for non-ISACA members. The four-hour exam includes 200 multiple-choice questions covering the five aforementioned areas. Five years of experience in the areas of information systems audit, control, or security are required; however, auditing experience, academic degrees, and academic teaching may be substituted for this requirement. CISA candidates may also take the examination first, then acquire the required experience. To ensure that their skills remain current, CISA professionals have a CPE requirement of 120 hours every three-year period, with an annual minimum of 20 hours. All members must follow a code of professional ethics.

Candidates. The CISA is most useful for IT professionals with an accounting or auditing background. The focus is on audits of technology, which compare a system with relevant standards and report on the findings. This certification would also be useful for CPAs in public practice because knowledge of the audit process is essential. Academic degrees and teaching experience can be substituted for work experience, so accounting professors and their students can consider this certification.


The International Information Systems Security Certification Consortium [(ISC)2] has been granting the CISSP certification since 1995. A CISSP will have a broad-based knowledge of information systems and technology, with an emphasis on security. The certification is intended for professionals responsible for policy development, security management, and other system consulting.

A CISSP designation is well respected in the information security community and known as the de facto security management certification. The certification can enhance an IS career and provide added credibility. There are currently 3,000 CISSP professionals in 31 countries.

CISSP examinees are tested in 10 knowledge domains, known collectively as the common body of knowledge (CBK):

Requirements. Beginning in 2003, four years of systems security experience in at least one of the 10 areas included in the CBK is a requirement for taking the CISSP examination. This experience may be as a practitioner, auditor, vendor, or instructor. A candidate may also have three years of experience along with a college degree or equivalent life experience, which is evaluated on a case-by-case basis. All candidates must take the six-hour exam consisting of 250 multiple-choice questions drawn from the CBK. The fee is $450, and the exam is offered monthly at locations around the world. Once the candidate has passed, a letter from an employer or another CISSP is required to obtain the certification.

Candidates. The CISSP certification would be useful for individuals interested in providing security evaluations or internal control–related consulting services. Professionals working within the IT department of an organization would find the CISSP certification valuable, as would accountants with a background in the administration of computer technology. Because teaching experience in a related field is acceptable for the experience requirement, accounting professors can obtain this certification.

MaryAnne Atkinson, PhD, is a professor in the department of accounting at Central Washington University in Lynnwood, Wash.

News & Views Editor:
Thomas W. Morris
The CPA Journal

Home | Contact | Subscribe | Advertise | Archives | NYSSCPA | About The CPA Journal

The CPA Journal is broadly recognized as an outstanding, technical-refereed publication aimed at public practitioners, management, educators, and other accounting professionals. It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting professionals with the information and news to enable them to be successful accountants, managers, and executives in today's practice environments.

©2006 The CPA Journal. Legal Notices

Visit the new cpajournal.com.