Leadership

IT auditor one of the fastest growing careers


Nobody likes the word "audit." That is unless you are, or are thinking about becoming, an IT auditor, which is one of the fastest growing career areas in IT according to CareerProNews. Since the passage of information legislation, like Sarbanes-Oxley, IT audits have increased, and so has the need for people to do them.

An IT audit is basically the process of collecting and evaluating evidence of an organization's information systems, practices, and operations. IT auditors look not only at physical controls as a security auditor would, but they also look at business and financial controls within an organization.

IT auditors help organizations comply with legislation, making sure they keeping data and records secure. These auditors don't actually implement any fixes; they just offer an independent review of the situation.

Fred Roth, a senior consultant at a training institute, says he believes the demand for IT auditors will continue for the next couple of years: "I talk to a lot of management from companies in the U.S., Canada and Europe. The answers are always the same -- they cannot find enough good IT auditors."

So what does it take to be an IT auditor? CareerProNews says that "CIA (certified internal auditor), CISA (certified information systems auditor) and CISSP (certified information systems security professional) certifications are becoming an absolute must for IT auditors."

Roth adds: "IT auditors need to be qualified to audit the many different aspects of IT: systems, networks, databases, encryption, etc., and that they need to be proficient and stay current as the technology changes. This requires ongoing training."

Although most IT auditor positions start out on contract, many firms are realizing the need to hire full-time personnel to handle the duties.

About

Toni Bowers is Managing Editor of TechRepublic and is the award-winning blogger of the Career Management blog. She has edited newsletters, books, and web sites pertaining to software, IT career, and IT management issues.

12 comments
Hoelzer David
Hoelzer David

The CIA, CISA and CISSP are all a good start, but one of the things that the recent findings with regard to FISMA have clearly shown us is that these are not nearly deep enough technically. Too many IT auditors focus completely on specific settings without considering how the processes actually function. The GSNA certification adds the piece that you really need to round this out. In fact, you can even skip the certification as long as you really get what's taught in the classes for it: http://www.sans.org/info/35409

techidea
techidea

This article should be renamed to IT Security Auditor one of the fastest...when I saw this article I thought that probably it will talk of ISO, ITIL or CMMi auditors, but it talks of only IT Security Auditors.

Chad.Sellers
Chad.Sellers

Would you hire a CISSP or a CISA at your firm, and why?

rl_venkatvadanam
rl_venkatvadanam

Why has it taken the US software industry so long to recognize the need? Before my retirement 5 years ago I was a Systems Auditor for covering all major national and international standards in Software,Automotive,Aeronautics,Electronics and industry in general. I did my first software systems audits in India in the period 1993/95. Although it is never too late to start, it concerns me that over the years we users of software have been the guinea pigs for bad practices and poor management. Equally I would pass on my best wishes to all those who are contemplating taking up the cudgels, there is everything to gain and nothing to lose. Just remember the auditors byword - "Arguing with an Auditor is like mud wrestling with a pig! After a a time you realize that the pig is enjoying himself"

techrep
techrep

?... You hate IT Support and Consultancy - you have been doing it for far too long. This is a new use for your talents!" I have been using and studying I.T. since 1982; mostly since then providing hardware and software support, application design and support, systems and network analysis and design, security, backup and disaster recovery, statistical analysis, email and web services and just about every other aspect of I.T. As a result, I have quite a wide-ranging understanding of I.T. on both macro and micro-levels and a keen knowledge of what can go wrong, where, how and why. I.T. Auditing seems a natural career progression; I do not know why it had never occurred to me before. As I am finally starting to get some qualifications in the I.T. field, I might well redirect my attentions to auditing. Does anyone have any words of advice, experience or warning?

dublinbob
dublinbob

Just to be clear here - IT auditors can look at every aspect of IT including security - so the article title is spot on - it is about IT audit and not a narrow sub set of that field IT Security Auditing. and also to clarify - some people get hung up on the qualification - what is needed and what i look for is a wide IT experience and the ability to identify risks, discuss them with management and to come up with practical solutions. I get a lot of qualified people whio simply cannot get whatever field of IT they have practised out of their heads and therefore useless in the wider IT audit discipline. The qualification is merely a guideline to employers as to whether the individual understands the field so it doesnt really matter which one you get. People who describe themselves as ITIL or other standards auditors are really just auditng to that standard and are not IT Auditors who are trained to recognise risks and assess them accordingly. Its worthwhile work but again it does not get the big bucks because it is limited. So my advice again is get a wide experieince in IT, get any audit qualification and think about the big picture of IT from strategy down to operating systems.

CListo
CListo

which one I would hire? It depends on the job, I am looking for a more technical person, the CISSP would blow the socks off. Now, if I am looking for a more managerial person, the CISM or the CISA. Both certifications are non-tech and the strong areas are more related to the process rather than the technology

Jerr Bear
Jerr Bear

Systems auditing can be a good choice; however, from a consulting position, it may be a hard start. There are many established C.P.A. and non-C.P.A. firms doing systems auditing. If you are prepared in systems security, it might be a bit better. Either ways, you need to find a niche and group of initial clients. Either way, you should get certified, CISA or CISSP, or if you are well-experienced in security management, there is the CISM.

Dr Dij
Dr Dij

misti seems to be the major group promoting these. I continually get their catalogs full of training sessions for system auditors. I find it interesting to read detailed course info on any field. THis is how you find out what they'd be doing all day, and if you'd enjoy it or could do it. misti.com

dublinbob
dublinbob

As an ex compueter operatior, programmer, project manager etc i also decided this would be a good step - and quite frankly it was! all those hideous late nights and shifts gone and instead finally being able to bring experience to bear across the full range of the IT environement. The good thing about it s that you can always go back to IT at any stage which i have done on and off. But first ask yourself are you a people person? because you will hate IT audit if you cannot communicate effectively. Second you must see the bigger picture. no one is interested in reviewing windows file permissions - they want to know if they have a good DRP or strategy or UNIX policies so get used to high level and not detail - though you can be requested to do detailed reviews as well - its a jack of all tradesposition. thirdly - are you a diplomat - you have to swallow a lot of anger in audits at first until you can win people over so if you are abrasive this is not the career for you. Conversely if you are a pushover you will be ineffective. Next - do you like mini projects becuase that is what each audit is - if you dont liek projects then youll hate this. Having decided to go for it, just apply for jobs - they are so short of people that just having IT experience is enough - but again you must decide if you want to work for a consultancy or Big 4 company - a fairly vacuous expereince as i experienced it or go and work for a company. Getting CISA is an excellent idea for the CV but in fact it is so easy and untechnical it is not exactly an eductaional experience - accountants pass this all the time so an IT person will breeze it. The easiest way in is internally - if your current iorg needs an IT auditor they will be delighted in my exoperience that you want to jump ship and do the job for them because itll save a fortune in costs and they have someone who already knows the org and its systems.

fvv
fvv

Hey Bob, I have to disagree with you that CISA is easy and unethical. I have been involved with IT security audits for 7 years, but only got my certification last year. It was hard work to study for the exam, as they do not only test auditing skills, but also your understanding of different scenarios and solutions. You did not mention whether you have your CISA or not, but one has to have at least 3 years Auditing experience and 2 years technical experience to qualify for certification. Passing the exam is one thing, getting your certification is another. Maybe that is why there are only about 7000 CISA's in the world currently? I would encourage anyone to sit the CISA exam, and do your audits to get the certification. CEO's, CIO's and ISO's (that is the level where you should be communicating)treat you with great respect when you discuss audit findings with them and you have such certifications. Another one to consider is CISM. A combination of CISA and CISM is a definite winner, and you are seen in the CA/CIO/CFO league. By the way, there is nothing unethical about CISA, ISACA has a Code of Conduct one has to adhere to . Fred

dublinbob
dublinbob

... i did not say it was unethical - it is untechnical. And im afraid it is. I also have severe concerns as to its true value. I do not doubt that it is good for getting jobs but for education it is pretty poor. also to clarify, I did qualify for CISA but let it lapse, as once you have had it it means nothing to employers if you keep it or not. The exam is one element which i have to laugh at - I had a terrible exam - it is surprisingly difficult to do a 5 hour exam [since made easier i believe] of multichoice questions where 2 or 3 answers can all be as good as each other - i thought when i left that i had scored about 50% [i am rarely out by more than 5% in this] - but due to scaling though my mark as 88% - a joke really , and i have to say with scaling like that how does anyone fail? The time qualifications are not too hard for most people as a year could be got by having a degree, 2 for working in IT so that left a paltry 2 years as an IT auditor and im not sure that most even do IT audit as opposed to normal audit. Never mind those who just lie about it and get a friend to sign for them. But to do it properly anyone who has been in IT and got a degree in it does not need to do much auditing to get past this hurdle. so on balance the exam is a farce, the experience requirement is a bit vaccuous, the CPE is easy . Quite frankly i have to say the QICA qualification knocks it into a cocked hat - much more education, studying, projects to do - a thorough education as opposed to the CISA which is more on validation than education. In my opinion, any qualification in IT audit is worth doing to get yourself into the IT audit world - it matters not a jot as far as personal development or a career in IT goes. And in case anyone thinks i have an axe to grind, I qualified for CISA easily but did not do QICA so i should be biased the other way. People i meet who did QICA seem to have learnt so much more to get through. i have also successfully transitioned from IT audit to Senior IT roles so i know what I'm on about here!