IIA training and events

IIA Qualification in Computer Auditing

The IIA Qualification in Computer Auditing is now closed to new candidates. The final exam was held in November 2008.

The information below is for reference only, for anyone who would like to know what QiCA holders studied when they took this qualification.


Course content

Successful IIA Qualification in Computer Auditing students were awarded the designation QiCA, showing that they were able to:

  • Demonstrate professional competence in their specialist field
  • Apply computer auditing skills in practical day-to-day situations
  • Give assurances on risk and control issues relating to information systems
  • Acquire the knowledge and skills necessary to monitor their organisation's information systems in depth.

The IIA Qualification in Computer Auditing comprised two Theory Modules and one Professional Experience Module. It was assessed by examination and students submitting a log of work experience. The content of these elements is set out below.

Q1: Business Information Systems Auditing

This module aimed to increase general understanding of the principles and practices of information systems auditing. It is recognised that auditors work in different types of computing environments so you are not required to give examples of specific hardware or software environments at this level. Those who have successfully completed the module will be able to:

  1. Appreciate the relationship between risk and control as applied to the use of computers
  2. Understand the role of the auditor in relation to information systems
  3. Understand the use of information systems' audit techniques
  4. Appreciate how the computer can assist the audit process.

Q2: Specialist Information Systems Auditing

The module aimed to give a detailed understanding of the principles and practices of information systems auditing at an advanced practitioner level. This module focused on some of the more technical issues. It was aimed at those who carry out 'hands-on' computer audits of a technical nature. Students were expected to provide examples and illustrations of how systems software deals with specific control issues drawn from your own experience. There were five specialist areas in the syllabus:

  1. IT Management was a compulsory part of the module. Assessment may have required illustrations of practical approaches to IT strategy, project management, systems development or performance planning.
  2. Systems Software was an optional part of the module covering a number of elements, in particular operating systems software and the audit of systems programmer activities and database systems.
  3. Security and Contingency Planning was an optional part of the module covering security and disaster recovery and contingency planning.
  4. Networks and On-Line Systems was an optional part of the module covering technical topics such as technical considerations and approaches to LANs, WANs, client server approaches and distributed systems.
  5. Auditing Applications and Advanced Systems was an optional part of the module covering specific advanced systems and control, security and audit matters.

Those who have successfully completed the module will be able to:

  1. Understand and illustrate the control and audit issues relating to information systems
  2. Understand the contribution which technical audits make to overall audit objectives.

Professional Experience Module

IIA Qualification in Computer Auditing students also needed to keep a detailed log of their work experience for two years, showing 1600 hours computer auditing related work. They could start recording their experiences as soon as they enrolled using the log provided by the Institute. The log comprises: Basic experience showing at least 250 hours of computer auditing work including;

  1. The audit of a system under development
  2. The audit of an operational system
  3. The writing of an interrogation programme
  4. An installation audit

Specialist topics in three out of five specialist areas showing at least 250 hours work in each area;

  1. IT management, strategy development and systems development
  2. Operating systems software
  3. Security and contingency planning
  4. Networks and communications
  5. Database systems

Employers should note that an appropriate manager is asked to validate the evidence provided by students in their log.