Some jobs are more challenging to explain than others. It took me years to create a working definition for friends and family who don’t know the ins and outs of IT. In this article, I’ll walk through the fundamentals of what IT auditors do, the necessary skills, and how to become an auditor. It’s a fascinating and ever-changing career that can change your life if you pursue it.
Key duties of an IT auditor are:
Scoping the audit plan
Interviewing process owners to understand their control environment
Selecting an appropriate population of samples
Performing testing on the selected samples
Documenting test results
There are two types of auditors, and their specific duties differ. An internal IT auditor assesses the organization’s internal controls to help strengthen the control environment. An external auditor works for a consulting firm and assesses the control environments of other organizations, usually public companies that have regulatory reporting requirements. Internal auditors report findings and issues to their organization’s management, while external auditors report to the client who hired the consulting firm.
When recruiters look to fill junior IT audit roles, there are a few main qualifiers:
Bachelor of Science (B.S.) in Computer Information Systems, Information Technology, or another similar major
A technical understanding of IT environments
Proficiency in Microsoft Office
Experience with an auditing tool such as Audit Command Language (ACL) or an audit documentation application
Beyond these basics, recruiters prefer candidates with relevant work experience such as an internship or a few years in an entry-level technology role and industry-recognized certifications such as ISACA’s Certified Information Systems Auditor (CISA) or Certified Information Systems Manager (CISM).
Professional development organizations are a great way to learn IT environments, auditing tools, and prepare for certification tests.
As with many people-facing technology jobs, great auditors need excellent communication skills. It’s not always easy for process owners to hear and accept that their process needs changes. You’ll need the ability to communicate complex IT issues to non-technical management and to present audit issues to an executive audience.
Here are a few essential groups that IT auditors interact with daily:
Business, operational, and financial auditors. Many companies perform “integrated audits,” where IT auditors partner with business auditors to evaluate an area or process end-to-end, including IT controls and business controls.
External auditors. It benefits companies to have an internal audit team that can communicate well with external auditors to reduce overall costs. Internal IT auditors can perform and document work that external auditors rely upon, reducing their workload and the associated billable hours.
Information technology/information security departments. These are the primary groups being audited. To make an audit experience as smooth as possible, IT auditors should learn as much as possible in advance about the area they are auditing. If you can effectively communicate with stakeholders and partners, you have a crucial skill that sets great auditors apart.
IT auditing might be a great career move. I cannot recall a recent time when auditors were not in great demand. Regulatory requirements continue to increase, meaning there’s an ever-growing demand for auditors, especially in the technology and cybersecurity space. Auditing skills apply across industries, including financial services, manufacturing, consumer goods, and insurance.
It’s also easy to move between internal and external auditing. I seamlessly joined an internal audit department after spending only 18 months as an external auditor. In the IT audit profession, you’re always learning. The rapid pace of technology development means you’re still learning something new. Successful IT auditors stay on top of technology trends to ensure they’re mitigating IT risk responsibly. IT auditors often gain a comprehensive view of their organization. Management often offers job rotations or internal transfers to other risk-based functions, such as compliance, IT risk, or cybersecurity. Transfers let you diversify your skill set and improve your job security.
Lastly, you can make a meaningful difference to an organization! Both public and private companies need to be focused on a robust control environment that reduces risk. Why? Control failures can damage customer trust, be expensive, and break operational processes. Auditors form a crucial line of defense.
Most companies have a minimum requirement of a four-year degree. Relevant work experience is essential—either holding a summer internship while completing a degree or spending time in an entry-level IT role can help. Lastly, obtaining a professional certification demonstrates expertise and validates that you have the appropriate knowledge to succeed in the role. A professional learning company like ACI Learning can help you plan your path to IT audit success with classes and professional recruiting services.