In an article published 4.5 years ago and dedicated to obtaining professional certification of an IT auditor, I promised to talk about how to keep this certification up to date, which, unfortunately, is not a privilege, but an obligation. Having gained experience over the past years, I present to all interested a brief overview of my experience in obtaining and registering CPE on the example of certifications from ISACA (CISA, CRISC, CISM, CGEIT). Despite the fact that the process is not very intricate, perhaps someone will be interested and useful.

So, to begin with, we will decipher the intriguing abbreviation CPE - Continuing Professional Education. As the name implies, CPE itself is a very broad concept and is not a measure that could be easily and conveniently tracked. That is why we are talking about CPE hours. Minor, but a nuance.
In order to keep your certification up to date, you must meet the two requirements of the certification organization. First, I’ll talk about the simplest part, which, like many situations in life, is simply solved with a bank transfer.

Category certificates for 45 and membership for 135

The first thing that is required of a law-abiding certified specialist is regular annual cash injections. In order to remain a member of the organization, you need to pay 135 US dollars per year. This amount depends on the appetite of the ISACA branch in your country and is the same for most countries, including Russia. More detailed contribution information for each branch can be found on the ISACA website.

Maintaining certification status will also require an additional fee of $ 45 per year for each certification (subscription mechanics have been used here for a long time, so rapidly gaining popularity in recent years thanks to Netflix, Spotify and others like them). Despite the fact that the amount is relatively moderate (although it depends on the CBR exchange rate on the day of payment), the desire to part with hard-earned money usually gives little joy, especially considering that payment is usually made towards the end of the calendar year, when most of Russia is already already joyless cold dark nights dominate.

However, my experience (accumulated from the experience of my friends) shows that most decent organizations (at least in default city) are ready to support employees and pay the above fees as training costs. So, I honestly admit, I have never paid for membership and ISACA certification out of my pocket, which I am glad of and which, naturally, I wish you. I believe that the employer should support their employees (and thereby their motivation) in such undertakings.

CPE hours

Now back to the most interesting part - how to quickly raise the dough to receive the cherished CPE hours without SMS and registration . First of all, let's talk about the necessary time transformations, since each CPE hour is a slightly increased academic hour - 50 minutes. When calculating hours, pauses, lunches and other evasion from active participation in the learning process are not taken into account. For simplicity of calculation (oh, if ...) CPE hours are allowed to be counted up to quarters with rounding down. That is, if you wish, you can count 50 minutes for 0.75 CPE hours. The site even provides an example of calculation, which I will give without translation. In it, 8 astronomical hours with the help of simple manipulations turn into 7.75 CPE hours:



Now, having a little understanding of the materiel, let's move on to the requirements regarding the number of CPE hours. The mathematics here is quite simple and without rounding up the fractional parts: starting from the calendar year following the year of certification, you need to follow a three-year cycle to maintain your professional qualifications (that is, if you received a certificate in 2019, then the cycle will begin in 2020). Within three years you need to get (or rather declare it) declare 120 CPE hours, and the annual minimum is 20 CPE hours, so that there are no distortions (it’s continuous, not time-to-time). This is what my current table looks like, at which the recommended level of 40 hours has been kindly marked. As you can see, in 2018 I clearly did not reach the average and in the remaining couple of years I will have to push a little,



Now briefly go over the methods for obtaining CPE hours. For myself, I chose the two most convenient ways that are easily combined with work and do not require significant effort and time and money.

Corporate training

In many organizations (and you really wanted to write “in the majority” and wishful thinking), training events are held for staff. Here, of course, I mean not New Year's corporate parties with undying Soviet pop stars, but something more professionally oriented. If you are working in an audit of an international organization, then most likely you will be somehow tried to be involved in the activities of a global team, including training. If not, then it will not be superfluous to try to hint about this to your leader or the leader above, who is in the parent organization (for the most part, foreigners are very open and ready for such issues). Whether it's a trip to the beaches of warm countries, a trip to headquarters, local team-building events or just invitations to a webinar - always agree. Anyway,

When registering your training, you will be required to enter the name, dates, organization providing the training, method (full-time, by mail and remote). It is also necessary to choose the type of activity, of which there are generally three categories, indicated by colors, and in fact 17 different types. I always choose Non-ISACA professional education activities. Well, in the end, we choose which certification this training belongs to.

Free Webinars from ISACA

Naturally, given that you pay regularly and will pay in the future, ISACA will not leave you in trouble and will give you the opportunity to get the treasured watch in a comfortable mode. For this, all members of the organization are given free access to a large number of webinars on a wide variety of topics, one way or another related to professional topics. Moreover, these webinars are available in the archive, which saves you from having to adjust your daily routine to the time zone of the east, or worse, west coast of North America. A sufficient number of webinars are available and they are easy to find in the ISACA -> Education -> Online Events section:



By clicking on the link in the lower right corner of the page you will find a link to the archive where you can select topics of interest to you. Register, get access and move to the MyLearning section, where you can view the webinars that you registered for:



Most webinars in English also sometimes include additional materials available for download upon completion. It is worth noting that not one of the webinars I have watched (and this is more than a dozen) did not end with a questionnaire or something similar, which gives a theoretical opportunity to just listen to the webinar in the background, focusing attention only on interesting places.

After viewing the webinar in the myLearning section, you need to go to the Transcriptions subsection, where you will see a list of webinars (both finished and just announced) and the treasured Submit CPE button for those you have watched.



After that, you will be asked to send a short review about the webinar you’ve watched, which will take a couple of minutes maximum and upon completion of which the final Process CPE button appears. What to do with CPE hours will be discussed a bit later.

In total, up to 36 CPE hours can be counted per year for participating in webinars and online conferences. So this allows you to almost completely cover the required 120 hours in three years.

Audit

For every hour you declare, it is necessary to maintain a certificate, because we are talking about auditors, the control is in our blood. The point is that from time to time ISACA conducts a selective audit of the quality of declared CPE hours. If you are lucky to get into the sample, then you will be asked to send evidence for each declared CPE hours, providing some time for collection. Honestly, I have never been audited and I know only one person who participated in this process. ISACA itself does not give a clear statement of the requirements for materials, just mentioning them as evidence (supporting documentation). Since overall ethical issues are given close attention, it is not surprising that ISACA is intimidating by the deprivation of certification in the event of any inconsistencies. Personally, my opinion that most likely there will be an opportunity to explain and clarify the situation before the irreversible consequences come. However, this should once again remind you of the framework of permissible "manipulations" associated with obtaining CPE hours. My personal advice is not to be cunning, especially when there are completely legal and not very burdensome methods at hand, which I described above.

How do I approach the documentation process:

1. For all the webinars that I go through on the ISACA website, I download certificates that become available some time after completion. In principle, certificates are always on the site, but I prefer to have an offline copy. So, just in case. And it’s more convenient to sort them by year. Certificates are available in the myLearning section, under Transcriptions:
   
2. For trainings organized by my employer, I always ask you to send an internal certificate. Our company has a global training team that closely monitors that everyone can enroll in the hours passed. I think this is primarily due to financial and business auditors (which are usually larger), whose situation with CPE hours is definitely not easier than in IT auditing. Our certificates always indicate the name of the company (something like the letterhead of a corporate certificate), the name and date of the courses, as well as the pre-calculated number of CPE hours. Such prudence on the part of colleagues in 2018 resulted in a slight misunderstanding, when the company itself announced only 7 CPE hours to us from the three-day conference, and I was counting on 20 pieces :)
3. For courses and trainings that are organized with less care, there are alternative documentation options that are described on the ISACA website. The method that I read in the official FAQ is as follows: you need to collect the visit sheets (finally I understood why we sign the visit sheets at the very beginning and end of the trainings), presentation, schedule or training plan. Also, a letter from the head confirming the fact of the training will not be out of place.

Usually, between the time when you register your CPE hours and the end of the year, there is a small margin of time that allows you to ask technical support all your questions in case of incomprehensible situations.

How else can I earn CPE hours

ISACA provides a host of other CPE hours opportunities, including the following free ones:

1. Participation in the activity of the organization as a volunteer. This includes volunteer groups, various projects, the activities of the regional office. Honestly, I never came in contact with the local branch for one reason or another. But I suspect that lovers of active communication with colleagues in the workshop this option may be to their taste. In addition, meeting new people from a professional environment is never superfluous. Thus, you can get up to 20 free hours per year.
2. Quiz passage through journals published by ISACA once every two months. This method is available only to members of the organization, which once again encourages you to continue to pay membership fees. In total, up to 6 free hours per year are possible.
3. Mentoring. Here you can count the various hours spent on training your colleagues, assisting them in preparing for the ISACA professional certification exam (CISA, CRISC, CISM, CGEIT). Thus, you can get up to 10 free hours per year.

In total, together with 36 hours for webinars, we can receive up to 72 CPE hours per year without any financial injections.

In addition, there are always paid alternatives, such as professional conferences, online trainings and courses, which ISACA is actively promoting through mailing lists, advertising on the site and in magazines. Most conferences are held in North America and therefore difficult to access for Russian specialists, but you may be able to convince your employer to pay you for such an event.

From time to time, the following options come across:

1. Participation in surveys. They come to email irregularly, maybe once a year. They give 1 CPE hours for them, but they do not last 5 minutes, since there are quite a lot of questions.
2. For passing the exam for the second and subsequent certification, you can count up to 8 CPE hours for the received earlier. So, in my case, I passed the CRISC exam at the beginning of 2019 and this exam automatically appeared in my CPE hours list for the current year. Theoretically, I can count it not only for the old CISA, but also in the piggy bank of the freshly obtained CRISC certification, although in fact this makes no sense, since I only start accounting for CPE hours for new certification in 2020.

CPE hours entry

CPE hours are entered in the profile on the ISACA website and an overview of all registered hours is also available there. In my case, the last few entries look like this:


For watches that are provided by ISACA itself (indicated in the rightmost column), the entry appears automatically, but you need to confirm it by clicking on the icon in the very left column and fill in the missing data. In my case with the exam, I had to choose how many hours I want to write down and for which certification, since now I have two. In the case of webinars, the source of CPE hours is also considered ISACA and the recording appears automatically, although there may be a delay. From my experience it may take up to a day for the webinar I’ve watched to appear in the table (in the image, the first entry is a webinar that I have not yet confirmed).

Brief conclusions

1. Before you pay for something related to vocational training and certification from your own pocket, do not hesitate to go to your supervisor (personnel officer or other suitable employee) and clarify whether the company can take on these costs.
2. Always come or go to the training on time. Or at least make sure your signature is in front of your name.
3. Ask your training department (or the people in charge of the organization) to provide you with a certificate or other evidence of training.
4. In the absence of the possibility of obtaining a certificate from the training, collect the maximum available evidence. By the way, I advise you to do a scan of the visit sheet right away, since in most cases their careful storage is not interesting to anyone except you.
5. Soft skills (I apologize for Englishism) can also be counted as CPE hours, but here everyone already determines the boundary of what relates to vocational training. You can always refer to the list of topics of the relevant certification (there are five such sections in CISA).
6. If it’s December and you don’t have enough points before the annual limit, we’ll rush to watch webinars from the archive or begin to mentor colleagues.

In general, the process of maintaining CPE hours at the required level is not too time-consuming and after a couple of years comes almost to automatism. A high culture in the department of education also contributes to success. I hope you find this small guide useful. If you have questions - welcome in the comments.