​The Path to IT Audit
How and why do professionals become IT auditors? The path to an IT
audit career can be a rocky but rewarding journey, according to these
lessons from veterans in the field.
 Shawna Scharf
 February 01, 2008
​Survey a class of first graders anywhere in North
America and ask them the standard question: What do you want to be when you grow
up? "I want to be a doctor," they'll lisp, or a firefighter, or a basketball player. You
might even get a few bankers or lawyers. What you will never hear from a single child
is "I want to be an auditor," much less an IT auditor, unless they've been coached by a
CISA-certified parent. For most people, the desire to become an IT auditor is
something that has to develop over time, like a taste for Brussels sprouts or perhaps
Scotch. Others, however, are passionate about IT auditing from the first time they
realize the potential of data mining or how to stop hackers in their tracks.
Given today's global landscape and market needs, even auditors who are not
considering the move to IT must take into account the pervasiveness of technology —
skills that were once considered specialties of IT auditors are now required of all
internal auditors. In this article, five professionals talk about what led them into field
of IT auditing and how others might do the same.
​Meet the Experts
Dick Price, FCA QiCA FIIA QSA
Data analysis specialist with 31 years' experience in information security auditing,
consultancy, and training.
Heriot Prentice, MIIA, FIIA, QiCA
Director of Standards and Guidance, The IIA
15 years' experience in internal and IT auditing; 7 years' experience in fraud and
forensics.​
James Reinhard, CPA, CIA, CISA
Manager, Simon Property Group Inc. More than 20 years' experience in IT and
integrated auditing.
Peggy Surat, CISA, CISM
Senior IT Auditor, EDS
7 years' internal audit experience; 20 years' IT experience.
Peter Davis
Principal, Peter Davis + Associates
29 years' experience in IT governance.​
Why Go There?
The reasons why professionals enter the IT audit field vary widely. With the
tremendous growth of technology, many auditors see IT audit as a way to set them
apart from their peers. James Reinhard, audit manager with Simon Property Group
Inc., says, "In the early 1980s, as a financial auditor, I saw the need to understand
technology and wanted a career advancement boost — an edge on others. So, with the
encouragement of my spouse, I took night classes and received a master's degree in
computer science and information science. Upon graduation, and with several offers
in hand, I began my career in IT auditing."
Heriot Prentice, IIA director of standards and guidance, sums up his decision to enter
the field of IT auditing in two words: job security. "I was working for the government
in Scotland in 1987 and saw that more auditors were required for IT audits. I knew it
would be a great career move if I could get on that learning curve." Because of the
government's limited training resources, Prentice taught himself by reading
everything he could find on a broad range of technology subjects. Later, after taking a
position with Deloitte, Prentice received his training on the job.
Job security wasn't the only reason Prentice made the switch. Like many auditors, he
discovered that he had a passion for IT in the course of doing his job. Dick Price,
director and security consultant with Beacon I.T. Ltd., discovered his passion when he
was sent by KPMG to an audit interrogation software course. "I was so taken with the
fact that I knew more about someone else's data than they knew and by the feeling of
power that it gave me. I loved interrogating data, but then found I needed a little bit
more to go with it, so I moved into IT auditing."
Others view the burgeoning field of IT audit as a way to challenge their abilities. Peter
Davis, principal of Peter Davis + Associates, states, "I believe the challenges are what
make the job so interesting. IT auditors need to continuously evolve by keeping
abreast of new technology and techniques."
At a particular advantage are individuals who already have extensive IT experience
and wish to capitalize on this knowledge in the audit field. Prentice believes that it is
easier to teach an IT person audit skills than for an auditor to learn IT skills from
scratch. Peggy Surat, senior information systems auditor with EDS, is one of
thousands of IT professionals who have acquired internal audit accreditation. She
explains, "Because I had an in-depth knowledge as an IT practitioner, I felt that I
would be the best person to assess risks and controls and recommend solutions for
weaknesses. I wanted to be a part of the solution and not part of the problem."
What Skills Do Prospective IT Auditors Need?
Regardless of what causes a professional to enter the field, he or she should have
certain characteristics important to a successful IT audit career. An IT auditor should
have IT, financial, and operational audit experience, according to Reinhard. He sums
up these qualifications by saying, "The ideal IT auditor should be able to discuss IP
routing with the network folks in one hour and financial statement disclosures with
the controller in the next." And, as with all audit positions, communication and other
soft skills are crucial as well. Reinhard presents the following as a general list of
attributes:
Basic audit skills. Basic audit certifications are needed, including the Certified
Public Accountant or Certified Internal Auditor designations.
Desire to understand technology. A genuine interest in all things technical usually
preceded a decision to go into IT auditing.
Educational background in computer science or related field. The growing
complexity and vulnerabilities of computer networks requires that all auditors
have some degree of technical expertise. Price explains, "I used to recruit IT
personnel, including programmers, IT department managers, etc., who became
very good IT auditors. If they had ITIL [IT Infrastructure Library] skills or
something similar, that helped, but in my mind, was not essential."
Communication skills. Many internal auditors, and especially IT auditors, lack
good communication skills, according to Davis. "IT auditors need to remember
their geek-speak, but also brush up on their business argot. IT auditors need to
speak the language of all your stakeholders so they can translate complex
technical problems into quantifiable business decisions."
Ability and willingness to train others in general IT audit skills. Because much of
what IT auditors learn is through on the job training, IT auditors must be able to
train coworkers and subordinates in the fast-paced environment of IT auditing.
The ability to understand new technologies in a short-time period. With the
meteoric rise in new technologies, coupled with the increasing sophistication of
hackers, IT auditors must be able to stay on top of the most current trends.
What Certifications Do IT Auditors Need?
Once an auditor has decided to pursue a career in IT auditing, he or she must choose
from a wide range of ever-evolving technology skills and certifications. Even an
auditor with extensive experience will most likely need certifications to back up that
knowledge, according to Prentice. Below are some of the more general certifications:
Certified Information Systems Auditor (CISA): ISACA's globally recognized
cornerstone certification for IS, audit, control, assurance, and security
professionals who control, monitor, and assess an organization's information
technology and business systems. This is considered the current industry
standard for IT auditors.
Certified Information Systems Security Professional (CISSP): An independent
information security certification governed by the International Information
Systems Security Certification Consortium, also known as ISC², which provides
security training to information assets.
Certified Information Security Manager (CISM): ISACA's certification program
for those who manage, design, oversee, or assess an enterprise's information
security.
Microsoft Certified Systems Engineer (MCSE): Microsoft's certification in
designing and implementing infrastructure based on Microsoft Windows 2000
platform and Windows Server System.
Price adds that IT auditing also demands an area of expertise within an overall
framework. "My overall framework is ISO 27001 and ISO 27002 [formerly ISO 17799].
My specialty, apart from detailed data investigation, is management of information
security. Others may have network and communication skills or be specialists with
penetration testing, for example." Likewise, Prentice obtained a Certified Fraud
Examiner (CFE) certification to give him credibility in his area of concentration —
fraud and forensics.
Reinhard emphasizes the business aspect of internal auditing: "IT auditors, like any
other auditor, should have a sufficient understanding of the business, financial, and
operational controls to be able to add value in a system development project. The idea
is that the IT auditor has a general understanding of all aspects of a development
review so that they know when to call in the financial or operational audit experts."
With new and updated certifications being developed to match the growth of
technology on the whole, IT auditors would be wise to seek more than standard
training, according to Davis. "Auditors should look outside the box and focus on
governance, compliance, forensics, and project management." Following is an
additional list of certifications that can enhance an IT auditor's core qualifications:
Certified in the Governance of Enterprise IT (CGEIT): ISACA's certification
developed for professionals who have a significant management, advisory, or
assurance role relating to the governance of IT.
ITIL Certification: Certification is ITIL represents knowledge in a comprehensive
set of management procedures with which an organization can manage its IT
service operations. ITIL is based on documents originally created by the UK Office
of Government Commerce.
Certified Security Compliance Specialist (CSCS): The U.S. Health Insurance
Portability and Accountability Act's certification, which requires a comprehensive
treatment of major information security regulations and standards.
Certified Fraud Examiner (CFE): A designation awarded by the Association of
Certified Fraud Examiners that denotes expertise in fraud prevention, detection,
deterrence, and investigation.
Project Management Professional Credential (PMP): Offered by the Project
Management Institute for professionals who manage multiple-related projects
that are aligned with an organization's strategy.
Projects in Controlled Environments Certification (PRINCE2): A process-based
method for effective project management and the de facto standard used
extensively by the UK government and other countries around the world.
How can IT Auditors Stay Up-To-Date​?
Once the proper certifications and training are in order, the greatest challenge
becomes staying on top of the influx of data that continues to flood all areas of IT. In
addition to receiving training in designated specialties, auditors can follow trends in
IT auditing by:
Participating and networking with other IT auditors through local Institute of
Internal Auditors and ISACA chapters.
Subscribing to and reading IT audit journals and publications,
including ITAudit and GTAG.
Participating in listservs by reviewing communications and asking questions.
Attending conferences and seminars in IT and other audit areas.
Tapping their IT organization for training; for new or acquired technologies,
vendor training is often available.
Most important, IT auditors need to adopt a philosophy of continuous lifelong
learning, according to Davis. "Take any and all opportunities to learn, such as joining
a mailing list and listening to a webinar or podcast, and it wouldn't hurt to open a
book visit a Web page once in a while and study a subject," he says. Surat agrees:
"Keeping up-to-date can be achieved by self-study in ever-evolving technologies,
benchmarking with other companies, leveraging Internet audit resources, and
networking with other IT auditors."
What Does the Future Hold?
With all of the complex legislation being passed and new technologies being
discovered, the future of IT auditing looks bright, if not blinding. Prentice predicts
that although some auditors might find the subject matter a little dry, compliance with
regulations and legislation is sure to be a booming area for IT auditing.
In terms of specific technology trends, Surat and Davis believe that voice over Internet
protocol (VoIP) issues will play a major role in IT audit's future. According to Surat,
"Voice and data communications is moving to a VoIP solution, which has many
inherent financial, data privacy, and network configuration-related risks. Also,
management of the end-to-end software life cycle seems to be a common issue, and
with the availability of freeware and downloadable software, best practices and total
assurance of the environment can result in control and vendor management issues."
Davis throws wireless into the mix as well: "If you thought wireless was bad to date,
you haven't seen anything yet. Put wireless together with VoIP, and you have some
real audit challenges."
Reinhard sums up his positions by stating: "IT auditors can take advantage of
opportunities, especially if they are willing to go beyond an IT audit base and
understand the business environment. The most value for an audit department is for
the IT auditor to remain up-to-date on the technologies proposed or used by his or her
business."
While all interviewees agreed that IT governance, compliance, and risk management
would be the cornerstone of future IT audit opportunities, regardless of what the
future brings, one thing seems guaranteed — with the assured growth of technology,
those who choose careers in IT auditing will have unlimited potential.​​
Sorry, something went wrong.
SHOW DETAILS
Shawna Scharf
​Shawna Scharf is a contributing staff writer.​​
Sorry, something went wrong.
SHOW DETAILS
Copyright © 20172017 The Institute of Internal Auditors. All rights reserved. | Privacy Policy