control, and governance
So You Want to Be an IT Auditor?
Practitioners need a combination of technical and people skills to forge a career in auditing technology.
A recent news headline asked, “Is Knight’s $440 million glitch the costliest computer bug ever?” According to the CNN Money article, in less than one hour, a defect in Knight Capital Group’s software caused its computers to execute a series of orders that were supposed to be spread over several days. “Computers do what they’re told,” says Lawrence Pingree, an analyst at Gartner. “If they’re told to do the wrong thing, they’re going to do it, and they’re going to do it really, really well.” Because of the computer glitch, the company nearly went bankrupt.
Such potentially catastrophic events pose a serious threat to organizations that are investing billions of dollars in their computer systems, databases, and supply chains to compete and leverage customer relationships. This dependence on complex computing and large-scale data schemes has led organizations around the globe to recognize how IT auditors can help them understand the constantly shifting risks of the information age.
IT auditors follow all the same ethical and independence parameters as financial auditors, but their focus is on the governance of IT systems and processes. With audits and projects ranging from business continuity to development processes to information security, these practitioners assist their organizations with a wide range of topics. To be effective, though, IT auditors must acquire the right hard and soft skills, get the appropriate education, and build a solid foundation of experience.
The hard skills IT auditors need include a strong understanding of general computer controls (GCCs), data analytics, basic system infrastructure, and risk assessment. One place to start learning about GCCs is The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) Internal Control–Integrated Framework and related guidance. According to the COSO framework, GCCs are a subset of an organization’s internal controls and are used to mitigate threats and gain various types of compliance.
Data analytics is a process of inspecting, cleaning, transforming, and modeling data to highlight useful information, suggest conclusions, and support decision-making. IT auditors use specialized data analysis tools or off-the-shelf database and spreadsheet software to detect fraud, find data errors, and help the organization eliminate waste. There are many reference guides to using these applications, including the popular Dummies books.
A basic understanding of system infrastructure also is essential for an IT auditor. Practitioners must be knowledgeable about networks, hardware, operating systems, databases, and applications — the skeletal system for most organizations and a target of ever-changing threats. Many colleges and universities offer programs for learning the basics of computers, networks, and databases. For example, the Massachusetts Institute of Technology’s Open Courseware program offers all its classes online for free, albeit without course credit.
Additionally, IT auditors must be able to look at a situation and assess its risk. Whether it is a new company initiative, international expansion, cloud computing, or any other development, IT risks are present and can be detrimental if they are not assessed and addressed appropriately by the organization. The IIA’s Global Technology Audit Guides (GTAGs) — which are free downloads for members — are a great way to gain an understanding of IT risks and controls.
Finally, to demonstrate his or her competence to prospective employers, a person striving to be an IT auditor should obtain certifications including ISACA’s Certified Information Systems Auditor and the Certified Information Systems Security Professional from the International Information Systems Security Certification Consortium. Gaining these certifications will provide the IT audit candidate with a strong systems infrastructure and audit foundation. Moreover, most IT audit positions require a person to have or gain at least one of them. In addition to these certifications, many university degree programs, such as Information Systems Management Computer Science, provide a good foundation for an IT audit career.
In addition to hard skills, the IT auditor must have a strong repertoire of soft skills that include translating “geek speak” to “business speak.” People who want to be an IT auditor must understand that in many situations, the decision-makers who need to know how to deal with IT risks lack the technical savvy to understand the impact of those risks. One of the most important skills an IT auditor can have is the ability to convey IT issues in a manner that enables nontechnical business managers to grasp the severity of the situation and the recommendations to mitigate the risk. For example, if a company risked a breach of data, the IT auditor would need to quantify the impact that data breach would have on the business in terms of brand image, loss of customers, and regulatory fines. This way, the business executives could understand the overall risk and make an informed decision on the IT security measures the company would take. One way to become more adept at speaking clearly to business managers is to participate in local speaking clubs such as Toastmasters, which allow people to practice presenting to a wide audience.
Conversely, the IT auditor also must be able to speak about highly technical topics when interviewing system administrators, system architects, and other IT personnel. Developing relationships with the organization’s IT personnel and building trust enables practitioners to get the information they need. Finally, having the ability to grasp concepts quickly and find the root cause of an issue is essential. Many IT audit soft skills only come with experience. If a person is in college, there are classes, internships, and volunteer opportunities to gain the necessary experience. For those who are employed already, prospective IT auditors can look into audit rotations, ask to assist on IT audit projects, or volunteer in the testing of U.S. Sarbanes-Oxley Act of 2002 technology controls or other compliance efforts.
Finding an IT Audit Opportunity
To find IT audit internships or job opportunities, it is essential to network with others in the profession. Joining local chapters of The IIA or technology associations is a good starting point, as is making contacts through IT professors and business mentors.
The good news for those who make the effort is that demand for IT audit professionals is rapidly increasing. According to CNN Money, accounting and IT audit are some of the fastest-growing professions, with 22 percent to 30 percent growth estimated for 2008-2018. Organizations are looking for IT audit professionals to assess and recommend ways to mitigate the impacts of today’s technology risks. Demonstrating the desire to learn and stretch their capabilities is the best way for individuals to work into an IT audit career.
Cliff Donathan, CIA, CISA, CISSP, is an IT audit principal with a national retailer.
COMMENT ON THIS ARTICLE
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.