February 2008

To learn the latest on how to become an IT auditor, see "So You Want to Be an IT Auditor?" in the October 2012 issue of Internal Auditor

The Path to IT Audit

How and why do professionals become IT auditors? The path to an IT audit career can be a rocky but rewarding journey, according to these lessons from veterans in the field.

Shawna Scharf
Contributing Staff Writer

Survey a class of first graders anywhere in North America and ask them the standard question: What do you want to be when you grow up? "I want to be a doctor," they'll lisp, or a firefighter, or a basketball player. You might even get a few bankers or lawyers. What you will never hear from a single child is "I want to be an auditor," much less an IT auditor, unless they've been coached by a CISA-certified parent. For most people, the desire to become an IT auditor is something that has to develop over time, like a taste for Brussels sprouts or perhaps Scotch. Others, however, are passionate about IT auditing from the first time they realize the potential of data mining or how to stop hackers in their tracks.

Given today's global landscape and market needs, even auditors who are not considering the move to IT must take into account the pervasiveness of technology — skills that were once considered specialties of IT auditors are now required of all internal auditors. In this article, five professionals talk about what led them into field of IT auditing and how others might do the same.

Meet the Experts

Dick Price Dick Price, FCA QiCA FIIA QSA
Data analysis specialist with 31 years' experience in information security auditing, consultancy, and training.
Heriot Prentice Heriot Prentice, MIIA, FIIA, QiCA
Director of Standards and Guidance, The IIA
15 years' experience in internal and IT auditing; 7 years' experience in fraud and forensics.
James Rinehard James Reinhard, CPA, CIA, CISA
Manager, Simon Property Group Inc. More than 20 years' experience in IT and integrated auditing.
Peggy Surat Peggy Surat, CISA, CISM
Senior IT Auditor, EDS
7 years' internal audit experience; 20 years' IT experience.
Peter Davis Peter Davis
Principal, Peter Davis + Associates
29 years' experience in IT governance.

 

WHY GO THERE?

The reasons why professionals enter the IT audit field vary widely. With the tremendous growth of technology, many auditors see IT audit as a way to set them apart from their peers. James Reinhard, audit manager with Simon Property Group Inc., says, "In the early 1980s, as a financial auditor, I saw the need to understand technology and wanted a career advancement boost — an edge on others. So, with the encouragement of my spouse, I took night classes and received a master's degree in computer science and information science. Upon graduation, and with several offers in hand, I began my career in IT auditing."

Heriot Prentice, IIA director of standards and guidance, sums up his decision to enter the field of IT auditing in two words: job security. "I was working for the government in Scotland in 1987 and saw that more auditors were required for IT audits. I knew it would be a great career move if I could get on that learning curve." Because of the government's limited training resources, Prentice taught himself by reading everything he could find on a broad range of technology subjects. Later, after taking a position with Deloitte, Prentice received his training on the job.

Job security wasn't the only reason Prentice made the switch. Like many auditors, he discovered that he had a passion for IT in the course of doing his job. Dick Price, director and security consultant with Beacon I.T. Ltd., discovered his passion when he was sent by KPMG to an audit interrogation software course. "I was so taken with the fact that I knew more about someone else's data than they knew and by the feeling of power that it gave me. I loved interrogating data, but then found I needed a little bit more to go with it, so I moved into IT auditing."

Others view the burgeoning field of IT audit as a way to challenge their abilities. Peter Davis, principal of Peter Davis + Associates, states, "I believe the challenges are what make the job so interesting. IT auditors need to continuously evolve by keeping abreast of new technology and techniques."

At a particular advantage are individuals who already have extensive IT experience and wish to capitalize on this knowledge in the audit field. Prentice believes that it is easier to teach an IT person audit skills than for an auditor to learn IT skills from scratch. Peggy Surat, senior information systems auditor with EDS, is one of thousands of IT professionals who have acquired internal audit accreditation. She explains, "Because I had an in-depth knowledge as an IT practitioner, I felt that I would be the best person to assess risks and controls and recommend solutions for weaknesses. I wanted to be a part of the solution and not part of the problem."

WHAT SKILLS DO PROSPECTIVE IT AUDITORS NEED?

Regardless of what causes a professional to enter the field, he or she should have certain characteristics important to a successful IT audit career. An IT auditor should have IT, financial, and operational audit experience, according to Reinhard. He sums up these qualifications by saying, "The ideal IT auditor should be able to discuss IP routing with the network folks in one hour and financial statement disclosures with the controller in the next." And, as with all audit positions, communication and other soft skills are crucial as well. Reinhard presents the following as a general list of attributes:

  • Basic audit skills. Basic audit certifications are needed, including the Certified Public Accountant or Certified Internal Auditor designations.
  • Desire to understand technology. A genuine interest in all things technical usually preceded a decision to go into IT auditing.
  • Educational background in computer science or related field. The growing complexity and vulnerabilities of computer networks requires that all auditors have some degree of technical expertise. Price explains, "I used to recruit IT personnel, including programmers, IT department managers, etc., who became very good IT auditors. If they had ITIL [IT Infrastructure Library] skills or something similar, that helped, but in my mind, was not essential."
  • Communication skills. Many internal auditors, and especially IT auditors, lack good communication skills, according to Davis. "IT auditors need to remember their geek-speak, but also brush up on their business argot. IT auditors need to speak the language of all your stakeholders so they can translate complex technical problems into quantifiable business decisions."
  • Ability and willingness to train others in general IT audit skills. Because much of what IT auditors learn is through on the job training, IT auditors must be able to train coworkers and subordinates in the fast-paced environment of IT auditing.
  • The ability to understand new technologies in a short-time period. With the meteoric rise in new technologies, coupled with the increasing sophistication of hackers, IT auditors must be able to stay on top of the most current trends.

WHAT CERTIFICATIONS DO IT AUDITORS NEED?

Once an auditor has decided to pursue a career in IT auditing, he or she must choose from a wide range of ever-evolving technology skills and certifications. Even an auditor with extensive experience will most likely need certifications to back up that knowledge, according to Prentice. Below are some of the more general certifications:

  • Certified Information Systems Auditor (CISA): ISACA's globally recognized cornerstone certification for IS, audit, control, assurance, and security professionals who control, monitor, and assess an organization's information technology and business systems. This is considered the current industry standard for IT auditors.
  • Certified Information Systems Security Professional (CISSP): An independent information security certification governed by the International Information Systems Security Certification Consortium, also known as ISC², which provides security training to information assets.
  • Certified Information Security Manager (CISM): ISACA's certification program for those who manage, design, oversee, or assess an enterprise's information security.
  • Microsoft Certified Systems Engineer (MCSE): Microsoft's certification in designing and implementing infrastructure based on Microsoft Windows 2000 platform and Windows Server System.

Price adds that IT auditing also demands an area of expertise within an overall framework. "My overall framework is ISO 27001 and ISO 27002 [formerly ISO 17799]. My specialty, apart from detailed data investigation, is management of information security. Others may have network and communication skills or be specialists with penetration testing, for example." Likewise, Prentice obtained a Certified Fraud Examiner (CFE) certification to give him credibility in his area of concentration — fraud and forensics.

Reinhard emphasizes the business aspect of internal auditing: "IT auditors, like any other auditor, should have a sufficient understanding of the business, financial, and operational controls to be able to add value in a system development project. The idea is that the IT auditor has a general understanding of all aspects of a development review so that they know when to call in the financial or operational audit experts."

With new and updated certifications being developed to match the growth of technology on the whole, IT auditors would be wise to seek more than standard training, according to Davis. "Auditors should look outside the box and focus on governance, compliance, forensics, and project management." Following is an additional list of certifications that can enhance an IT auditor's core qualifications:

  • Certified in the Governance of Enterprise IT (CGEIT): ISACA's certification developed for professionals who have a significant management, advisory, or assurance role relating to the governance of IT.
  • ITIL Certification: Certification is ITIL represents knowledge in a comprehensive set of management procedures with which an organization can manage its IT service operations. ITIL is based on documents originally created by the UK Office of Government Commerce.
  • Certified Security Compliance Specialist (CSCS): The U.S. Health Insurance Portability and Accountability Act's certification, which requires a comprehensive treatment of major information security regulations and standards.
  • Certified Fraud Examiner (CFE): A designation awarded by the Association of Certified Fraud Examiners that denotes expertise in fraud prevention, detection, deterrence, and investigation.
  • Project Management Professional Credential (PMP): Offered by the Project Management Institute for professionals who manage multiple-related projects that are aligned with an organization's strategy.
  • Projects in Controlled Environments Certification (PRINCE2): A process-based method for effective project management and the de facto standard used extensively by the UK government and other countries around the world.

HOW CAN IT AUDITORS STAY UP-TO-DATE?

Once the proper certifications and training are in order, the greatest challenge becomes staying on top of the influx of data that continues to flood all areas of IT. In addition to receiving training in designated specialties, auditors can follow trends in IT auditing by:

  • Participating and networking with other IT auditors through local Institute of Internal Auditors and ISACA chapters.
  • Subscribing to and reading IT audit journals and publications, including ITAudit and GTAG.
  • Participating in listservs by reviewing communications and asking questions.
  • Attending conferences and seminars in IT and other audit areas.
  • Tapping their IT organization for training; for new or acquired technologies, vendor training is often available.

Most important, IT auditors need to adopt a philosophy of continuous lifelong learning, according to Davis. "Take any and all opportunities to learn, such as joining a mailing list and listening to a webinar or podcast, and it wouldn't hurt to open a book visit a Web page once in a while and study a subject," he says. Surat agrees: "Keeping up-to-date can be achieved by self-study in ever-evolving technologies, benchmarking with other companies, leveraging Internet audit resources, and networking with other IT auditors."

WHAT DOES THE FUTURE HOLD?

With all of the complex legislation being passed and new technologies being discovered, the future of IT auditing looks bright, if not blinding. Prentice predicts that although some auditors might find the subject matter a little dry, compliance with regulations and legislation is sure to be a booming area for IT auditing.

In terms of specific technology trends, Surat and Davis believe that voice over Internet protocol (VoIP) issues will play a major role in IT audit's future. According to Surat, "Voice and data communications is moving to a VoIP solution, which has many inherent financial, data privacy, and network configuration-related risks. Also, management of the end-to-end software life cycle seems to be a common issue, and with the availability of freeware and downloadable software, best practices and total assurance of the environment can result in control and vendor management issues."

Davis throws wireless into the mix as well: "If you thought wireless was bad to date, you haven't seen anything yet. Put wireless together with VoIP, and you have some real audit challenges."

Reinhard sums up his positions by stating: "IT auditors can take advantage of opportunities, especially if they are willing to go beyond an IT audit base and understand the business environment. The most value for an audit department is for the IT auditor to remain up-to-date on the technologies proposed or used by his or her business."

While all interviewees agreed that IT governance, compliance, and risk management would be the cornerstone of future IT audit opportunities, regardless of what the future brings, one thing seems guaranteed — with the assured growth of technology, those who choose careers in IT auditing will have unlimited potential.

To comment on this article, e-mail the author at shawna.scharf@theiia.org.


it auditor
it was very good article it help me with my project for my computer class and it makes me want to be an it auditor when i grow up.
Posted By: a middle school student
2013-12-19 3:01 PM
Learn more about auditing
I am an advance level holder of accounting and wish continue my studies until i become an auditor haven,t love it from birth.thank u for your advice on what next to do.
Posted By: Jitah Nasala
2013-11-21 1:30 PM
IT Auditor
Hi,I'm study in BSc(Computer science)second year.after graduation How do i becomes an IT Auditor?& In which university this course is present.please give me some information. Thank you...
Posted By: Rajesh Bohra
2013-09-08 6:10 AM
Acknowledgement of IT Auditors
This is a great field and maybe some day I'll venture further down this path. I'm mainly involved in other projects but having certification like this adds huge credit to your name. Thanks Aadil Durban Web Design
Posted By: Aadil
2013-08-20 7:20 AM
IT Audit Career
I am holding a BTECH & MBA, I have been working as an internal IT auditor for our project where we do for SOX complaince( IT GFeneral controls). I havent done any certifications to boost my knowledge just have the project work knowledge. Could you guide me in which course to start with
Posted By: Sukumar
2013-07-28 1:28 PM
Guidence to become professional IT auditor
Hi, I have 4 years development and 7 years of academic experience . I am from IT background I have passed my CISA exam .I needd your guidance to know how can I start with my IT auditor career.
Posted By: Kalyani Deshpande
2013-07-04 8:30 AM
Carrier Path to become an IT auditor
Hi , I am application developer having 4.5 yrs of solid techno functional experience in captial markets and investment banking practice. I now want to leverage my expereince and shift to the functional side of it. i.e Auditing. Can someone please guide me on from where should i start to help me get into auditing. Thanks
Posted By: Nakul Saolapurkar
2013-06-16 2:33 AM
What skills or certification do i need to persue for my career advancement
I am Engineering graduate. Holding Exp of 4.8 Yrs. Currently working as IT Auditor / Information security manager. Certification Held: ITIL,CCNA,MCP
Posted By: Mukesh
2013-04-11 4:20 AM
IT Auditor
I currently passed CISA with financial audit background, I seek your help to transit to an IT Audit role
Posted By: Lanre
2013-03-18 6:46 AM
how to be IT auditor
Hi, i am fresh for this field and i have not enough knowledge. What should i do to be an IT auditor? i hope you forward some useful information about it.
Posted By: Abreham
2013-01-08 7:53 AM
Software Licensing/Compliance Auditor
I am wondering what would be needed to become an auditor of software licensing and compliance. I have been in IT for over 11 years; hold a BS in Information Technology and an MBA in Business Administration. Your advice is appreciated.
Posted By: Tanisha Laney
2012-12-05 6:43 PM
IT Auditor
I have completed my Btech:Internal Auditing, am I suitable for an IT Auditor position if not what can I further do to become an IT Auditor.
Posted By: Philisile Ngcobo
2012-11-28 1:08 AM
IT auditor
i wish to attach a study leads to able me to set a programme for auditors . in which universities or colleges in Montreal or another coverns can i achieve my aim Regards
Posted By: AMMAR
2012-10-30 12:05 PM
How to become an IT Auditor?
Is becoming a CPA the best way to become an IT Auditor? Do most IT Auditors work for CPA firms? Which masters degree would be best a Masters in Accounting or a Masters in Computer Management Systems?
Posted By: Robert Torres
2012-10-09 1:06 PM
How to Pursue for and IT Auditor
Hi!, I am a Senior Software Programmer(India), Intrested to become an IT Auditor in the Software field. Please suggest me the respective details. Thanks & Regards, Shubhankar Sarkar
Posted By: Shubhankar Sarkar
2012-08-16 8:16 AM
IT Auditing
Kindly provide me with guidance on how to enroll for this course. I need to do CISA and would like information on how to join this training programme. Also include cost involved. Thanking you in anticipation.
Posted By: Gift Kozo Mwinga
2012-07-30 7:19 AM
IT Auditing
Please advise me on IT auditing as a career choice and which education system to follow.
Posted By: Sandiram
2012-07-17 2:50 AM
Looking for a job - IT Auditor
My name is Bindi Naik and I am a Senior IT Auditor. I used to work for Pricewaterhouse Coopers one of the Big Four firms. I have now recently moved to Memphis TN, just two months ago and will be based here permanently. Please could someone direct me where to apply as I am trying to apply everywhere, but havent heard much. I hope someone can help me. Thank you
Posted By: Bindi Naik
2012-07-11 6:12 PM
Developing IT Audit carrer
Hi, I am working in this field for some years. I was wondering, what is the best option to get start becoming certified in this field? I'm more toward IT rather then financial. I have done some researches, but want to hear experts' opinions. Thank you! Narius.
Posted By: Narius
2012-06-27 2:24 AM
IT Auditor
I have completed a Bcom Honours degree in Informatics majoring in Information Systems. Currently i work as a Business Analyst at IT company for four years now. I need a career shift to IT Auditor, which steps can i take to become IT Auditor?
Posted By: Malebo
2012-06-22 3:27 PM


COMMENT ON THIS ARTICLE

Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.

Name:

Email:

Subject:

Comment:


To make something bold:
<strong>Text to bold</strong>

To make something italic:
<em>Text to italicize</em>

To make a hyperlink:
<a href="URL">Text to link</a>

 

April 2014IaCover 

 IPPF_Ap42014

IIA Academic_Nov 2013

IIA SmartBrief

 Write for FSA Times

 

 Twitter

facebook IAO 

IA APP