So, what exactly does an IT auditor do? This is a question that I heard countless times at age 22, fresh out of college while working my first full-time job. I can willingly admit, it took me a while to develop an answer that was accurate, yet understood by my family and friends who were not in a similar profession. In this article, I’ll break down the responsibilities of an IT auditor, necessary skills for becoming one, how an IT auditor interacts with other roles throughout their organization, how the role is evolving, the many benefits of this career choice, and next steps to take for those interested in becoming one.
Responsibilities of the Role
First off, there are two types of IT auditors - internal and external. An internal IT auditor works for a public or private company and assesses the internal controls of the organization they work for, with the main purpose of helping strengthen the control environment. An external auditor typically works for a consulting firm or partnership and assesses the control environments of other organizations, usually public companies which have associated regulatory reporting requirements.
While both roles mostly have the same responsibilities, there are some minor differences. Key duties that are relatively similar include scoping the audit plan, interviewing process owners to understand their control environment, collecting evidence, selecting an appropriate population of samples, performing testing on the selected samples, and documenting test results. The biggest difference is that for the internal role, findings and issues are reported to the organization’s management, and for the external role, findings and issues are reported to the client that hired the consulting firm or partnership to perform the audit.
Skills Needed to Become an It Auditor
There are both hard skills and soft skills that recruiters look for when sourcing talent into junior IT audit roles. Typically, strong candidates hold at least a bachelor of science (B.S.) in Computer Information Systems, Information Technology, or another similar major. They also have a technical understanding of IT environments, are proficient in Microsoft Office, and ideally have experience with an auditing tool such as Audit Command Language (ACL) or an audit documentation application.
Candidates can also be set apart by relevant work experience whether it be an internship or a couple of years in a technology-related entry-level role. Many employers look for an industry-recognized certification, such as ISACA’s Certified Information Systems Auditor (CISA) or Certified Information Systems Manager (CISM). Top soft skills that make an IT auditor candidate desirable are being able to successfully influence others (process owners aren’t always quick to agree to an internal audit issue!), translate complex information security concepts into business language that is understood by non-technical management, and present audit issues to an executive audience.
Interaction with Others
There are a few important groups that IT auditors interact with on a daily basis. To start, there are other types of internal auditors, whether they be operational auditors or financial auditors. Many companies perform “integrated audits” where IT auditors partner with business auditors to evaluate an area or process end-to-end, including both IT controls and business controls. In public companies, internal IT auditors also work closely with the company’s external auditors. Audit fees can be reduced for a company when internal IT auditors perform and document work that external auditors can rely upon since it reduces the amount of work that external auditors are required to do and the associated billable hours. Lastly, IT auditors work daily with information technology/information security departments as these are the primary groups that they audit. To make an audit experience as smooth as possible, IT auditors should learn as much as possible in advance about the area they are auditing.
An Evolving Role
The IT audit profession is not a stagnant one. With the rapid pace of today’s technology development, there is always something new to learn. Successful IT auditors need to stay on top of technology trends that impact their industry to ensure they are helping their organization appropriately mitigate IT risk. As IT auditors often gain a comprehensive view of their organization by auditing various areas, management does see the value with offering job rotations or even internal transfers. These would typically align to another risk-based function, such as compliance, IT risk, or cybersecurity.
Benefits to Being an IT Auditor
Internal audit is a great career choice for many reasons. In the job market, I cannot recall a recent time when auditors were not in great demand. Regulatory requirements that need the work that an internal audit department performs are only increasing, especially in the technology and cybersecurity space. The internal audit function is a transferable skill across industries, meaning even if you start your career in IT audit in the financial services industry, many of the concepts apply to other corporate industries as well - manufacturing, consumer goods, insurance - you name it - the job mobility is high.
There is the choice between internal audit and external audit, and although as we covered earlier slight differences do exist between the two, most of the responsibilities and necessary skills overlap. Just because you start as one, doesn’t mean you cannot easily switch to the other - I seamlessly joined an internal audit department after spending only 18 months as an external auditor. Lastly, and arguably most importantly, the work an auditor performs is crucial to the success of an organization! Both public and private companies need to be focused on a strong control environment that reduces risk. Why? The occurrence of control failures may result in the loss of customer trust, negative financial impact, or broken operational processes. Any of these can damage a company in both the short and long term.
How to Get Started in This Role
Most companies have a minimum requirement for IT auditors to have a four-year degree, so having this is the first step. Relevant work experience is essential - either holding a summer internship while completing a degree or spending time in an entry-level IT role are both ways to gain this experience. Lastly, obtaining a professional certification demonstrates expertise and validates that a candidate has the appropriate knowledge to be successful in the role.
Don't forget to mark your calendars for the highly-anticipated IT Audit & Controls Conference this July. Here's everything you need to know.