Certified Information Technology Professional

Certified Information Technology Professional (CITP) is a Certified Public Accountant recognized for their technology expertise and unique ability to bridge the gap between business and technology. Unlike other certifications that recognize only a narrow scope of skills, the CITP credential recognizes technical expertise across a wide range of business-technology practice areas.

The CITP credential is predicated on the fact that in today’s complex business environment, technology plays an ever increasing role in how organizations meet their business obligations, and that no single professional has a more comprehensive understanding of those obligations than a Certified Public Accountant. An increasingly competitive global marketplace has organizations clamoring for new technologies and the capacities, efficiencies and advantages they afford. While IT professionals have the technical expertise necessary to ensure that technology solutions are properly deployed, they lack the CPA’s perspective and ability to understand the complicated business implications associated with technology. The CITP credential encourages and recognizes excellence in the delivery of technology-related services by CPA professionals, and provides tools, training, and support to help CPAs expand their IT-related services and provide greater benefit to the business and academic communities they serve.

Issuers

CPA.CITP is a is a sub-credential granted by the American Institute of Certified Public Accountants only to eligible Certified Public Accountants in the United States.

Qualifications for the CITP

To qualify, the CPA will complete an application that uses a points system for the number of billable and non-billable hours of business technology experience and the number of credit hours and/or hours of lifelong learning you have in the following seven CITP Body of Knowledge areas:

• Technology Strategic Planning
• System Development, Acquisition, Implementation and Project Management
• IT Architecture
• Information Systems Management
• Business Process Enablement
• Systems Security, Reliability, Audit and Control
• IT Governance and Regulation

In addition, certain certifications and advanced degrees also apply. Please review the application for a complete list. To be awarded the CITP credential, a CPA must qualify for 100 total points on the application.

On the CITP Credential Application you will be asked to sign a Declaration and Intent to comply with all the requirements for CITP recertification.

A percentage of CITP applications will be randomly selected for further review each year, and if selected, the applicant agrees to provide detailed documentation (including specifics of Business Experience and Lifelong Learning) to support the assertions of the application.

CITP Body of Knowledge

The CITP credential holder possesses a breadth of business and technology experience. The CITP Body of Knowledge represents the qualifying areas of technology knowledge for both business experience and lifelong learning. The Body of Knowledge essentially contains the seven areas of services as follows:

1. Technology Strategic Planning
2. IT Architecture
3. Business Process Enablement
4. System Development, Acquisition, Implementation and Project Management
5. Information Systems Management
6. Systems Security, Reliability, Audit and Control
7. IT Governance and Regulation

All CITP professionals should possess a mastery of the following knowledge and skills.

1.) Technology Strategic Planning

• a. Understand enterprise or business strategy and vision
  • i. Business focus of the entity
  • ii. Position of the entity within its industry
  • iii. Relationship of IT strategy and business strategy
  • iv. Operational dynamics that influence the business
  • v. Business processes as they relate to the strategic plan
  • vi. Internal and external business drivers that impact IT
• b. Assess current IT environment
  • i. Assess current status of the entity's use of IT to support its business processes¹
  • ii. Assess IT risk & opportunity
  • iii. Assess stakeholder attitude
  • iv. Assess stakeholder attitude
• c. Envision future IT environment
  • i. Scan external environment
  • ii. Envision future status of the entity's system
  • iii. Assess the future IT strategy in the context of the entity's business strategy
• d. Assess IT strategic plan
  • i. Assess IT management's goals & objectives
  • ii. Assess overall feasibility and set the scope
  • iii. Identify business constraints
  • iv. Assess action plans and timelines
  • v. Identify the elements of transition
  • vi. Determine process for creating and executing a plan
  • vii. Determine critical success factors
  • viii. Determine appropriate measurements for a given IT strategy
  • ix. Align IT strategic plan with business and IT strategy
  • x. Obtain sponsor and stakeholder approval

2.) IT Architecture

• a. Assess the entity's IT architecture
  • i. Describe Infrastructure—the physical and hardware components of a system
  • ii. Assess Software—the programs and operating software of a system
  • iii. Assess People—the personnel involved in the operation and use of a system
  • iv. Assess Procedures—the programmed and manual procedures involved in the operation of a system
  • v. Assess Data—the information used and supported by a system
• b. Assess current capacities
  • i. Analyze Infrastructure
  • ii. Assess Software
  • iii. Assess People
  • iv. Assess Procedures
• c. Assess Data
  • i. Assess the entity's practices
  • ii. Assess organizational structure
  • iii. Assess IT governance
  • iv. Assess job functions & descriptions
• d. Assess System reliability (see Section 6)
  • i. Assess Training & development
  • ii. Assess Sourcing of IT Architecture Components
• e. Understand protocols, standards, and enabling technologies
  • i. Protocols and standards
  • ii. Enabling technologies
  • iii. Extensible Business Reporting Language (XBRL)
• f. Application development environment
  • i. Understand database architecture
  • ii. Database design
  • iii. Conceptual level of schema
  • iv. Benefits of using a database
  • v. Types of data relationships
  • vi. Implementation models
  • vii. Data definition and data manipulation

3.) Business Process Enablement

• a. Identify stakeholders and assess their requirements
  • i. Identify key business system stakeholders
  • ii. Assess their business system functionality and performance requirements
• b. Understand the entity's business and assess the effectiveness of business processes
  • i. Understand business models
  • ii. Assess the effectiveness of the entity's business processes
• c. Assess the business processes for risks and opportunities
  • i. Align business processes with business strategy
  • ii. Identify and assess barriers and enablers
  • iii. Advise approaches to barriers and enablers
  • iv. Assess procedures to manage changes to business processes
• d. Assess the impact of IT on the entity's business models and processes
  • i. Assess the impact of e-commerce issues
  • ii. Assess the impact of applications of e-commerce
  • iii. Assess the impact of enterprise systems
• e. Assess business processes and advise management on appropriate solutions

4.) System Development, Acquisition, Implementation, and Project Management

• a. Identify and assess technology enabled business opportunities
  • i. Establish high level business requirements
  • ii. Assess preliminary solution search.
  • iii. Assess business case
• b. Assess system acquisition process for commercially available solutions or service providers
  • i. Assess business requirements
  • ii. Assess vendor selection process
  • iii. Assess product gap analysis
  • iv. Advise optimal solution
• c. Assess systems development life cycle (SDLC) methods and associated tools and techniques
  • i. Understand alternate SDLC models
  • ii. Assess business requirements
  • iii. Assess high-level conceptual design and related investment and risks
  • iv. Understand system modeling tools and techniques
  • v. Assess system design specification
  • vi. Advise optimal development approach
• d. Assess systems implementation processes and techniques²
  • i. Assess system implementation plan
  • ii. Assess acceptance testing approach
  • iii. Assess Data Conversion approach
  • iv. Assess post-implementation review
• e. Assess project management processes
  • i. Assess the project initiation
  • ii. Assess the project plan
  • iii. Assess the ongoing execution of the project plan
  • iv. Assess controls over the project
  • v. Assess completion of the project
  • vi. Understand project management tools and techniques

5.) Information Systems Management

• a. Assess IT organization
  • i. Assess IT policies, procedures and methodologies that support the entity's strategic plan
  • ii. Assess IT organization related to system components
  • iii. Assess IT human resource policies
  • iv. Advise changes to IT organization and policies
• b. Assess IT operations, effectiveness, and efficiency
  • i. Understand infrastructure and its relationship to applications and user requirements
  • ii. Assess human resources management
  • iii. Assess processes used to maintain organizational efficiencies
  • iv. Assess service provider activities
• c. Assess asset management
  • i. Understand contracts and licenses and understand compliance issues
  • ii. Understand data ownership, security and reliability issues
  • iii. Understand intellectual property issues
  • iv. Understand international issues related to cross-border transportation and storage of data
  • v. Assess provider documentation
  • vi. Assess creation and maintenance of user documentation
  • vii. Assess on-going training and end-user support
  • viii. Analyze asset life cycle, including routine technology planning and IT asset management process
• d. Assess change control and problem management
  • i. Understand change control techniques
  • ii. Assess problem management
• e. Assess performance and financial control over IT resources³
  • i. Identify and assess performance metrics and related monitoring processes
  • ii. Assess controls over IT costs

6.) Systems Security, Reliability, Audit and Control

• a. Understand the principles of a reliable system⁴
  • i. Understand the Security principle and its risks
  • ii. Understand the Availability principle and its risks
  • iii. Understand the Processing Integrity principle and its risks
• b. Understand the controls that provide for system reliability
  • i. Understand the controls that provide for system security
  • ii. Understand controls for system availability
  • iii. Understand the controls that provide for system process integrity
• c. Understand the criteria against which a system can be evaluated
  • i. Assess the definition and documentation of an entity's performance objectives, policies, and standards
  • ii. Assess the communication of the objectives policies, and standards to authorized users and personnel responsible for implementing them
  • iii. Assess the procedures an entity utilizes to achieve and maintain its objectives in accordance with its established policies and standards and to protect the system against potential risks.
  • iv. Assess the entity's monitoring activities of the system as well as environmental and technological changes to enable an entity to identify potential impairments to system reliability and to take appropriate action to achieve and maintain compliance with its defined objectives, policies, and standards
• d. Understand privacy issues
  • i. Understand the definition of Privacy—the nature and extent of personally identifiable information a system collects, uses, retains and discloses in providing services, and the degree of intrusiveness a system imposes on users.
  • ii. Understand how Security relates to privacy issues by restricting access to and protecting the personally identifiable information in the system.
  • iii. Assess privacy risk management issues
  • iv. Design a privacy program using AICPA/CICA Privacy Framework
  • v. Understand current privacy laws, regulations and guidelines
• e. Systems Audit and Control
  • i. Understanding System Controls
  • ii. Testing Controls
  • iii. Assessing Controls

7.) IT Governance & Regulation

• a. Governance
  • i. Establish Risk Thresholds for Critical Information Assets and Information-dependent Functions and Objectives
  • ii. Establish Broad IT Program Principles and Assign Senior Management Accountabilities for IT
  • iii. Protect Stakeholder Interests Dependent on IT
  • iv. Ensure Appropriate IT Requirements for Strategic Partners and Vendors
  • v. Comply with External IT Requirements (e.g. Sarbanes-Oxley, HIPAA, GLB)
  • vi. Establish Requirements for Internal and External Audits of the IT Program
  • vii. Specify the IT Metrics to be Regularly Reported to the Board
• b. Regulation & Standards
  • i. Federal Laws
  • ii. Rules & Standards

1. AICPA/CICA SysTrust, Principles and Criteria for Systems Reliability Version 2.0, January 2001, pages 2–3.

2. Information Technology Control Guidelines, 3rd edition, CICA, Chapter 4

3. Cobit, Management Guidelines, pages 72–73

4. AICPA/CICA SysTrust, pages 4–8

CITP Multiple Entry Point System (MEP)

To be awarded the CITP Credential, a CPA must accumulate 100 total points. Total points will be earned based on business experience, lifelong learning, and, if required, the results of an examination.

Business Experience Requirement

• To be awarded the CITP credential, the candidate must earn a minimum of 25 points for business experience within the five-year period preceding the date of application.

• The maximum number of business experience points that can be earned over the preceding five year period is 60

• 40 hours of IT-related business experience equals approximately 1 point

The final number of points earned in this category will be determined by a combination of the number of hours of experience and the scope of that experience. Eligible business experience must address the seven practice areas that currently comprise the CITP Body of Knowledge. Academics may count their time lecturing and teaching towards the business experience requirement.

Life Long Learning (LLL) To be awarded the CITP credential, you must also earn a minimum of 25 points in lifelong learning within the five-year period preceding the date of application. The maximum number of life-long learning points allowed over a five-year period is 60.

The objectives of the lifelong learning requirement are twofold, to:

• Maintain your competency by requiring timely updates of existing technology knowledge and skills

• Provide a mechanism for monitoring the maintenance of your competency

The following types of lifelong learning activities are eligible for points:

• Continuing Professional Education

• Approved courses from an accredited university or college

• Other continuing education courses

• Trade association conferences

• Non-traditional learning methods self-directed reading

• Presenting

• Authoring

• Other credentials designations and certifications, advanced degrees, and committee service

Oversight

The credential is administered by the AICPA through the National Accreditation Commission via a volunteer committee and dedicated AICPA staff. The committee was formed in 2003 and initially chaired, through 2005, by MICHAEL DICKSON, CPA.CITP. He was succeeded by the current chair, GREGORY LaFOLLETTE,CPA.CITP. The committee consists of six members each serving staggered three year terms.

External links

• CITP Information (AICPA)
• American Institute of CPA
• Becoming a CPA (AICPA)