The primary duties of a CISA include:
- Implementing an audit strategy for information systems (IS) that is based on risk management.
- Planning audits that can be used to determine whether or not IT assets are protected, managed and valuable.
- Executing the audits in compliance with the organization’s set standards and objectives.
- Sharing audit results and providing recommendations to management based on the results.
- Performing reexaminations of the audits to ensure the recommended actions have been performed by management.
However, a CISA’s responsibilities often extend beyond auditing control. They are expected to work with management in order to confirm the organizational processes, plans for implementation and operation of the deployed system promote the organization’s objectives and strategies. At first, this includes evaluating:
- risk management practices;
- IT portfolio and resource management;
- strategies for business-IT alignment;
- business continuity and disaster recovery strategies;
- IT policies, standards, processes and procedures within the organization;
- the value of the IT control framework; and
- the management and monitoring of IT personnel, the IT organizational structure and controls.
Then, while the IS is prepared for implementation, the CISA must continue to monitor various areas to ensure successful deployment of the system. This includes conducting project and post-implementation reviews. Other responsibilities include evaluating:
- the business case for the proposed system;
- controls for the IS;
- IT supplier selection and contract management processes;
- the project management framework and controls; and
- the preparedness of the IS.
Once the system is implemented, the CISA is responsible for evaluating:
- the IT service management practices and structure;
- end user computing;
- change and release management operations;
- IT continuity and resilience;
- database management system execution;
- IT operations and maintenance;
- conducted reviews of the IS;
- complications and incident management practices; and
- data quality and life cycle management.
Finally, a CISA is responsible for working with management to ensure the security standards, policies, procedures and controls within the organization impart integrity, confidentiality and availability of information assets.