In an article published 4.5 years ago and dedicated to obtaining professional certification of an IT auditor, I promised to talk about how to maintain this certification up to date, which, unfortunately, is not a privilege, but an obligation. Having gained experience over the past years, I provide everyone with a brief overview of their experience in obtaining and registering CPE on the example of ISACA certifications (CISA, CRISC, CISM, CGEIT). Despite the fact that the process is not very intricate, perhaps someone will be interesting and useful.

So, to begin with we will decipher an intriguing abbreviation of CPE - Continuing Professional Education. As the name implies, the CPE itself is a very broad concept and is not a measure that could be easily and conveniently tracked. That is why we are talking about CPE hours. Slight, but a nuance.
In order to maintain its certification up to date it is necessary to satisfy the two requirements of the certifying organization. First I will talk about the simplest part, which, like many situations in life, is simply solved with the help of a bank transfer.

Category certificates for 45 and membership for 135

The first thing that is required of a law-abiding, certified specialist is regular annual cash infusions. In order to remain a member of the organization, you need to pay US $ 135 per year. This amount depends on the appetites of the ISACA branch in your country and is the same for most countries, including Russia. More detailed information about the contribution for each branch can be found on the ISACA website.
')
For maintaining the status of certification, you will also need an additional fee of $ 45 per year for each certification (the mechanics of the subscription have been used for a long time, which has gained so much popularity in recent years thanks to Netflix, Spotify, and others like them). Despite the fact that the amount is relatively moderate (although it depends on the rate of the Central Bank of the Russian Federation on the day of payment), the desire to part with the hard-earned money usually brings little joy, especially considering that payment is usually made closer to the end of the calendar year when most of Russia already the already bleak cold dark nights prevail.

However, my experience (accumulated with the experience of my friends) shows that the majority of decent organizations (at least in the default city) are ready to support employees and pay the above contributions as training costs. So, I confess honestly, I have never paid for membership and ISACA certification from my own pocket, which I am glad and wish, of course, to you. I believe that the employer should support its employees (and thus their motivation) in such undertakings.

CPE hours

Now we come back to the most interesting part - how to quickly raise the dough to get the cherished CPE hours without SMS and registration . First of all, let's talk about the necessary time transformations, since each CPE hour is a slightly increased academic hour - 50 minutes. When calculating hours, pauses, lunches and other wriggling from active participation in the learning process are not taken into account. For ease of calculation (oh, if ...), CPE hours are allowed to be accurate to quarters with rounding down. That is, if you wish, you can count 50 minutes for 0.75 CPE hours. The site even provides an example of the calculation, which I will give without translation. In it, 8 astronomical hours with the help of simple manipulations turn into 7.75 CPE hours:



Now, having a little understanding with the materiel, let's move on to the requirements regarding the number of CPE hours. The mathematics here is quite simple and without rounding the fractional parts: starting from the calendar year following the year of certification, you need to follow a three-year cycle to maintain your professional qualifications (that is, if you received a certificate in 2019, the cycle will start from 2020). Within three years, you need to get (or more correctly, declare) 120 CPE hours, and the annual minimum is 20 CPE hours so that there are no imbalances (that's why it is continuous, not time-to-time). Here is what my current table looks like, for which the recommended level is kindly noted at 40 hours. As you can see, in 2018 I obviously didn’t reach the average and in the remaining couple of years I’ll have to put some pressure on it to get to the limit.



Now briefly go through the methods for obtaining CPE hours. For myself, I chose the two most convenient ways that are easily combined with work and do not require considerable effort and time and money.

Corporate training

In many organizations (and in fact they so wanted to write “in the majority” and wishful thinking), training events for staff are held. Here, of course, I mean not New Year's corporate parties with undying stars of Soviet pop music, but something more professionally oriented. If you are working in an audit of an international organization, then most likely you will somehow be involved in the activities of the global team, including training. If not, it would not be superfluous to try to hint about this to your leader or manager above, who is in the head organization (most of them are very open and ready for such questions). Whether it is a trip to the beaches of warm countries, a trip to headquarters, local team-building events or just invitations to the webinar - always agree. In any case, whatever activity it is, if it is educational and fits the profile for your certification - feel free to take it into account.

When registering your training, you will be required to enter the name, dates, organization providing the training, method (full-time, by mail and deleted). You also have to choose the type of activity, which in general are three categories, marked with flowers, and in fact 17 different types. I always choose the “Non-ISACA professional education activities”. Well, in the end we choose to which certification this training applies.

Free webinars from ISACA

Naturally, considering that you pay regularly and will pay in the future, ISACA will not abandon you in trouble and will give you the opportunity to get the cherished hours in comfort mode. To do this, all members of the organization are given free access to a large number of webinars on a wide variety of topics one way or another related to professional topics. Moreover, these webinars are available in the archive, which saves you from having to adjust your daily routine to the Eastern time zone, or worse, the west coast of North America. There are enough webinars available and are easy to find in the ISACA -> Education -> Online Events section:



Clicking on the link in the lower right corner of the page you will find a link to the archive where you can choose the topics that interest you. Register, access and move to the MyLearning section, where you can view webinars for which you have registered:



Most of the webinars in English also sometimes include additional materials that are available for download upon completion. It is worth noting that none of the webinars I reviewed (which is more than a dozen) did not end with a questionnaire or something similar, which makes it theoretically possible to just listen to the webinar in the background, focusing only on interesting places.

After viewing the webinar in the myLearning section, you need to go to the Transcriptions subsection, where you will see a list of webinars (both completed and only announced) and the cherished Submit CPE button for those viewed.



After that, you will be asked to send a small review of the viewed webinar, which will take a maximum of a couple of minutes and at the end of which the final Process CPE button will appear. What to do with CPE hours will be discussed later.

A total of 36 CPE hours per year can be counted for participation in webinars and online conferences. So this allows you to almost completely cover the required 120 hours in three years.

Audit

For each hour you have declared it is necessary to keep a testimony; after all, we are still talking about auditors, control is in our blood. The point is that from time to time ISACA conducts a selective audit of the quality of the declared CPE hours. If you were lucky to get into the sample, then you will be asked to send evidence for each stated CPE hours, giving some time to collect. To be honest, I have never been to an audit and I know only one person who participated in this process. ISACA itself does not give a clear statement of requirements for materials, simply referring to them as supporting documentation. Since, on the whole, issues of ethics are given rather close attention, it is not surprising that ISACA intimidates with withdrawing certification if there are any inconsistencies. Personally, my opinion is that there will most likely be an opportunity to explain and clarify the situation before irreversible consequences come. However, this should remind you once again of the framework of permissible "manipulations" associated with obtaining CPE hours. My personal advice is not to be cunning, especially when there are completely legal and not very burdensome methods at hand, which I described above.

How do I approach the documentation process:

1. For all webinars that I pass on the ISACA website, I download certificates that become available some time after completion. In principle, certificates are always on the site, but I prefer to have an offline copy. So, just in case. Yes, and more convenient to sort them by year. Certificates are available in the section myLearning, subsection Transcriptions:
   
2. For trainings that are organized by my employer, I always ask to send an internal certificate. There is a global training team in our company that closely monitors that everyone can credit themselves with the hours they have passed. I think this is primarily due to financial and business auditors (of whom there are usually more), who have a situation with CPE hours that are definitely not easier than in an IT audit. Our certificates always indicate the name of the company (something like the corporate letterhead of the corporate certificate), the name and date of the courses, as well as the pre-calculated number of CPE hours. Such prudence on the part of colleagues in 2018 resulted in a slight misunderstanding, when from the three-day conference, the company itself told us only 7 CPE hours, and I counted on 20 pieces :)
3. For courses and trainings that are organized with less care, there are alternative documentation options that are described on the ISACA website. The method that I read in the official FAQ is as follows: it is necessary to collect attendance sheets (I finally understand why we sign on attendance sheets at the very beginning and end of trainings), a presentation, a schedule or a training plan. Also, a letter from the head confirming the fact of the training will not be superfluous.

Usually, between the time when you register your CPE hours and the end of the year, there is a small amount of time that allows technical support to ask all your questions in case of incomprehensible situations.

How else can you earn CPE hours

ISACA provides many other opportunities to get CPE hours, including the following free ones:

1. Participation in the activity of the organization as a volunteer. This includes volunteer groups, various projects, activities of the regional office. I, frankly, never contacted the local branch for one reason or another. But I suspect that lovers of active communication with their colleagues can choose this option. Moreover, meeting new people from a professional environment is never superfluous. Thus, you can get up to 20 free hours per year.
2. The passage of quizzes (Quiz) on journals, which ISACA publishes every two months. This method is available only to members of the organization, which once again prompts you to continue to pay membership dues. A total of up to 6 free hours per year is possible.
3. Mentoring. Here you can count various hours spent on training your colleagues, assisting them in preparing for the ISACA professional certification exam (CISA, CRISC, CISM, CGEIT). Thus, you can get up to 10 free hours per year.

Total, along with 36 hours for webinars, we can receive up to 72 CPE hours per year without any financial injections.

In addition, there are always paid alternatives, such as professional conferences, online trainings and courses that ISACA actively promotes through mailing lists, advertising on the site and in magazines. Most conferences are held in North America and therefore difficult to access for Russian specialists, but you may be able to convince your employer to pay you for such an event.

From time to time, the following options are also encountered:

1. Participation in surveys. They come to the email irregularly, maybe once a year. For them, give 1 CPE hours, but they do not last 5 minutes, since there are quite a few questions.
2. For passing the exam for the second and subsequent certifications, you can count up to 8 CPE hours for those received earlier. So, in my case, I passed the CRISC exam in early 2019 and this exam automatically appeared on my list of CPE hours for the current year. Theoretically, I can count it not only for the old CISA, but also in the piggy bank of the newly obtained CRISC certification, although in fact it makes no sense, since the CPE hours accounting for the new certification only starts in 2020.

CPE entry hours

CPE hours are entered in the profile on the ISACA website and an overview of all registered hours is also available there. In my case, the last few entries look like this:


For the hours that ISACA itself provides (this is indicated in the rightmost column), the entry appears automatically, but you need to confirm it by clicking on the icon in the leftmost column and filling in the missing data. In my case, with the exam, I had to choose how many hours I would like to record and what certification, since I now have two. In the case of webinars, the source of the CPE hours is also considered to be ISACA and the recording appears automatically, although a delay is possible. From my experience, it may take up to a day in order for the viewed webinar to go to the table (in the image, the first entry is a webinar that I have not yet confirmed).

Brief conclusions

1. Before you pay for something related to professional training and certification from your own pocket, do not hesitate to approach your manager (personnel officer or other employee who is suitable for the duties) and clarify whether the company can incur these costs.
2. Always come or go to training on time. Or at least take care to have your signature in front of your name.
3. Ask your training department (or people responsible for the organization) to provide you with a certificate or other evidence of the training.
4. In the event that it is not possible to obtain a certificate from the training, collect the maximum of available certificates. By the way, I advise you to do a scan of the visiting list right away, since in most cases their careful storage is not interesting to anyone except you.
5. Soft skills (I apologize for Anglicism) can also be counted as CPE hours, but here each already determines the limit of what is related to vocational training. You can always refer to the list of topics of the relevant certification (in the CISA there are five such sections).
6. If it's December, and you do not have enough points up to the annual limit, we urgently run to watch webinars from the archive or begin to mentor over colleagues.

In general, the process of maintaining CPE hours at the required level is not too time consuming and after a couple of years comes almost to automatism. High culture in the training department also contributes to success. I hope you find this small guide useful. If you have questions, you are welcome in the comments.