control, and governance
To learn the latest on how to become an IT auditor, see "So You Want to Be an IT Auditor?" in the October 2012 issue of Internal Auditor.
The Path to IT Audit
How and why do professionals become IT auditors? The path to an IT audit career can be a rocky but rewarding journey, according to these lessons from veterans in the field.
Contributing Staff Writer
Survey a class of first graders anywhere in North America and ask them the standard question: What do you want to be when you grow up? "I want to be a doctor," they'll lisp, or a firefighter, or a basketball player. You might even get a few bankers or lawyers. What you will never hear from a single child is "I want to be an auditor," much less an IT auditor, unless they've been coached by a CISA-certified parent. For most people, the desire to become an IT auditor is something that has to develop over time, like a taste for Brussels sprouts or perhaps Scotch. Others, however, are passionate about IT auditing from the first time they realize the potential of data mining or how to stop hackers in their tracks.
Given today's global landscape and market needs, even auditors who are not considering the move to IT must take into account the pervasiveness of technology — skills that were once considered specialties of IT auditors are now required of all internal auditors. In this article, five professionals talk about what led them into field of IT auditing and how others might do the same.
Meet the Experts
|Dick Price, FCA QiCA FIIA QSA
Data analysis specialist with 31 years' experience in information security auditing, consultancy, and training.
|Heriot Prentice, MIIA, FIIA, QiCA
Director of Standards and Guidance, The IIA
15 years' experience in internal and IT auditing; 7 years' experience in fraud and forensics.
|James Reinhard, CPA, CIA, CISA
Manager, Simon Property Group Inc. More than 20 years' experience in IT and integrated auditing.
|Peggy Surat, CISA, CISM
Senior IT Auditor, EDS
7 years' internal audit experience; 20 years' IT experience.
Principal, Peter Davis + Associates
29 years' experience in IT governance.
WHY GO THERE?
The reasons why professionals enter the IT audit field vary widely. With the tremendous growth of technology, many auditors see IT audit as a way to set them apart from their peers. James Reinhard, audit manager with Simon Property Group Inc., says, "In the early 1980s, as a financial auditor, I saw the need to understand technology and wanted a career advancement boost — an edge on others. So, with the encouragement of my spouse, I took night classes and received a master's degree in computer science and information science. Upon graduation, and with several offers in hand, I began my career in IT auditing."
Heriot Prentice, IIA director of standards and guidance, sums up his decision to enter the field of IT auditing in two words: job security. "I was working for the government in Scotland in 1987 and saw that more auditors were required for IT audits. I knew it would be a great career move if I could get on that learning curve." Because of the government's limited training resources, Prentice taught himself by reading everything he could find on a broad range of technology subjects. Later, after taking a position with Deloitte, Prentice received his training on the job.
Job security wasn't the only reason Prentice made the switch. Like many auditors, he discovered that he had a passion for IT in the course of doing his job. Dick Price, director and security consultant with Beacon I.T. Ltd., discovered his passion when he was sent by KPMG to an audit interrogation software course. "I was so taken with the fact that I knew more about someone else's data than they knew and by the feeling of power that it gave me. I loved interrogating data, but then found I needed a little bit more to go with it, so I moved into IT auditing."
Others view the burgeoning field of IT audit as a way to challenge their abilities. Peter Davis, principal of Peter Davis + Associates, states, "I believe the challenges are what make the job so interesting. IT auditors need to continuously evolve by keeping abreast of new technology and techniques."
At a particular advantage are individuals who already have extensive IT experience and wish to capitalize on this knowledge in the audit field. Prentice believes that it is easier to teach an IT person audit skills than for an auditor to learn IT skills from scratch. Peggy Surat, senior information systems auditor with EDS, is one of thousands of IT professionals who have acquired internal audit accreditation. She explains, "Because I had an in-depth knowledge as an IT practitioner, I felt that I would be the best person to assess risks and controls and recommend solutions for weaknesses. I wanted to be a part of the solution and not part of the problem."
WHAT SKILLS DO PROSPECTIVE IT AUDITORS NEED?
Regardless of what causes a professional to enter the field, he or she should have certain characteristics important to a successful IT audit career. An IT auditor should have IT, financial, and operational audit experience, according to Reinhard. He sums up these qualifications by saying, "The ideal IT auditor should be able to discuss IP routing with the network folks in one hour and financial statement disclosures with the controller in the next." And, as with all audit positions, communication and other soft skills are crucial as well. Reinhard presents the following as a general list of attributes:
WHAT CERTIFICATIONS DO IT AUDITORS NEED?
Once an auditor has decided to pursue a career in IT auditing, he or she must choose from a wide range of ever-evolving technology skills and certifications. Even an auditor with extensive experience will most likely need certifications to back up that knowledge, according to Prentice. Below are some of the more general certifications:
Price adds that IT auditing also demands an area of expertise within an overall framework. "My overall framework is ISO 27001 and ISO 27002 [formerly ISO 17799]. My specialty, apart from detailed data investigation, is management of information security. Others may have network and communication skills or be specialists with penetration testing, for example." Likewise, Prentice obtained a Certified Fraud Examiner (CFE) certification to give him credibility in his area of concentration — fraud and forensics.
Reinhard emphasizes the business aspect of internal auditing: "IT auditors, like any other auditor, should have a sufficient understanding of the business, financial, and operational controls to be able to add value in a system development project. The idea is that the IT auditor has a general understanding of all aspects of a development review so that they know when to call in the financial or operational audit experts."
With new and updated certifications being developed to match the growth of technology on the whole, IT auditors would be wise to seek more than standard training, according to Davis. "Auditors should look outside the box and focus on governance, compliance, forensics, and project management." Following is an additional list of certifications that can enhance an IT auditor's core qualifications:
HOW CAN IT AUDITORS STAY UP-TO-DATE?
Once the proper certifications and training are in order, the greatest challenge becomes staying on top of the influx of data that continues to flood all areas of IT. In addition to receiving training in designated specialties, auditors can follow trends in IT auditing by:
Most important, IT auditors need to adopt a philosophy of continuous lifelong learning, according to Davis. "Take any and all opportunities to learn, such as joining a mailing list and listening to a webinar or podcast, and it wouldn't hurt to open a book visit a Web page once in a while and study a subject," he says. Surat agrees: "Keeping up-to-date can be achieved by self-study in ever-evolving technologies, benchmarking with other companies, leveraging Internet audit resources, and networking with other IT auditors."
WHAT DOES THE FUTURE HOLD?
With all of the complex legislation being passed and new technologies being discovered, the future of IT auditing looks bright, if not blinding. Prentice predicts that although some auditors might find the subject matter a little dry, compliance with regulations and legislation is sure to be a booming area for IT auditing.
In terms of specific technology trends, Surat and Davis believe that voice over Internet protocol (VoIP) issues will play a major role in IT audit's future. According to Surat, "Voice and data communications is moving to a VoIP solution, which has many inherent financial, data privacy, and network configuration-related risks. Also, management of the end-to-end software life cycle seems to be a common issue, and with the availability of freeware and downloadable software, best practices and total assurance of the environment can result in control and vendor management issues."
Davis throws wireless into the mix as well: "If you thought wireless was bad to date, you haven't seen anything yet. Put wireless together with VoIP, and you have some real audit challenges."
Reinhard sums up his positions by stating: "IT auditors can take advantage of opportunities, especially if they are willing to go beyond an IT audit base and understand the business environment. The most value for an audit department is for the IT auditor to remain up-to-date on the technologies proposed or used by his or her business."
While all interviewees agreed that IT governance, compliance, and risk management would be the cornerstone of future IT audit opportunities, regardless of what the future brings, one thing seems guaranteed — with the assured growth of technology, those who choose careers in IT auditing will have unlimited potential.
To comment on this article, e-mail the author at firstname.lastname@example.org.
COMMENT ON THIS ARTICLE
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.