How to get into IT Audit
Just as businesses require an audit of their accounts and financial statements, so too their IT infrastructure, policies and operations need equal evaluation. This is where IT Audit comes in. IT Auditors examine those technical areas of the business to see where improvements can be made and make recommendations to the board.
IT Audit can typically be categorised into three separate work streams: Assurance, Advisory and Consulting.
A high proportion of IT Auditors follow the traditional route in terms of their career, starting at one of the Big Four firms to do IT Assurance or IT Advisory, and then progressing to an in-house IT Audit role. Though there are other routes, depending on the skill set, with IT Audit professionals coming from areas including core technology, infrastructure, systems engineering, cyber security etc.
In this article, we’ll be looking at the traditional route through IT Assurance, to IT Advisory, to IT Consultancy.
IT Audit Work Streams
The Assurance work stream refers to the statutory required audits that need to happen for legal compliance and can be viewed as purely retrospective. When performing IT Assurance activities, IT Auditors go in after the project is completed or the financial year end is completed, evaluate the way that controls were implemented, and provide an opinion on any gaps in covering key risks that were missed. In this role, Auditors are essentially the policemen of the business world.
Next up is Advisory, a role within IT Audit which has grown in response to the way business has changed in recent years. The Advisory stream of IT Audit sees Auditors being part of the process, evaluating the IT controls and technology risk strategies of a business as they are rolled out. By shifting the assurance process forward, IT Auditors aim to provide insights that will add value to the business in rolling out secure controls.
Consulting focuses less on the assurance element of an IT audit role and more on proactive collaboration, in helping the business implement the relevant IT security strategies to build for the future. It is very difficult to move directly into an IT risk consulting role without having first cut your teeth in the core assurance and advisory areas.
Starting with the base qualifications, it is very highly recommended to have a bachelor’s degree in IT or IS (Information Systems), or alternatively risk management. If your aim is to work in one of the Big Four auditing firms, it is unlikely that you would be considered without a degree.
Moving onto industry specific certifications, there are a number, with the most commonly recognised ones being CISA (Certified Information Systems Auditor), CISSP (Certified Information Systems Security Professional), CISM (Certified Information Security Manager) and CRISC (Certified in Risk and Information Systems Control).
Careers in IT Audit typically start with landing a position at one of the Big Four or a business development firm. This is the most common route people, starting from the ground up, making the decision to work in IT audit with the intention of making a career of it.
Alternatively, there can be a route in via an ancillary field. Individuals working in IT, software or hardware development, who gain on the job experience in dealing with technological risk, migrate into fulfilling a second line risk or oversight role before moving into pure third line which is the IT audit stream.
From a technical angle, knowledge and experience with cyber security, business continuity and data analytics are all key skills for an aspiring IT audit professional. With regards to soft skills, the most valuable traits that hiring managers look for are a person’s ability to lead a team and stakeholder management.