Survey a class of first graders anywhere in North America and ask them the standard question: What do you want to be when you grow up? "I want to be a doctor," they'll lisp, or a firefighter, or a basketball player. You might even get a few bankers or lawyers. What you will never hear from a single child is "I want to be an auditor," much less an IT auditor, unless they've been coached by a CISA-certified parent. For most people, the desire to become an IT auditor is something that has to develop over time, like a taste for Brussels sprouts or perhaps Scotch. Others, however, are passionate about IT auditing from the first time they realize the potential of data mining or how to stop hackers in their tracks.
Given today's global landscape and market needs, even auditors who are not considering the move to IT must take into account the pervasiveness of technology — skills that were once considered specialties of IT auditors are now required of all internal auditors. In this article, five professionals talk about what led them into field of IT auditing and how others might do the same.
Meet the Experts
Dick Price, FCA QiCA FIIA QSA
Data analysis specialist with 31 years' experience in information security auditing, consultancy, and training.
Heriot Prentice, MIIA, FIIA, QiCA
Director of Standards and Guidance, The IIA
15 years' experience in internal and IT auditing; 7 years' experience in fraud and forensics.
James Reinhard, CPA, CIA, CISA
Manager, Simon Property Group Inc. More than 20 years' experience in IT and integrated auditing.
Peggy Surat, CISA, CISM
Senior IT Auditor, EDS
7 years' internal audit experience; 20 years' IT experience.
Principal, Peter Davis + Associates
29 years' experience in IT governance.
Why Go There?
The reasons why professionals enter the IT audit field vary widely. With the tremendous growth of technology, many auditors see IT audit as a way to set them apart from their peers. James Reinhard, audit manager with Simon Property Group Inc., says, "In the early 1980s, as a financial auditor, I saw the need to understand technology and wanted a career advancement boost — an edge on others. So, with the encouragement of my spouse, I took night classes and received a master's degree in computer science and information science. Upon graduation, and with several offers in hand, I began my career in IT auditing."
Heriot Prentice, IIA director of standards and guidance, sums up his decision to enter the field of IT auditing in two words: job security. "I was working for the government in Scotland in 1987 and saw that more auditors were required for IT audits. I knew it would be a great career move if I could get on that learning curve." Because of the government's limited training resources, Prentice taught himself by reading everything he could find on a broad range of technology subjects. Later, after taking a position with Deloitte, Prentice received his training on the job.
Job security wasn't the only reason Prentice made the switch. Like many auditors, he discovered that he had a passion for IT in the course of doing his job. Dick Price, director and security consultant with Beacon I.T. Ltd., discovered his passion when he was sent by KPMG to an audit interrogation software course. "I was so taken with the fact that I knew more about someone else's data than they knew and by the feeling of power that it gave me. I loved interrogating data, but then found I needed a little bit more to go with it, so I moved into IT auditing."
Others view the burgeoning field of IT audit as a way to challenge their abilities. Peter Davis, principal of Peter Davis + Associates, states, "I believe the challenges are what make the job so interesting. IT auditors need to continuously evolve by keeping abreast of new technology and techniques."
At a particular advantage are individuals who already have extensive IT experience and wish to capitalize on this knowledge in the audit field. Prentice believes that it is easier to teach an IT person audit skills than for an auditor to learn IT skills from scratch. Peggy Surat, senior information systems auditor with EDS, is one of thousands of IT professionals who have acquired internal audit accreditation. She explains, "Because I had an in-depth knowledge as an IT practitioner, I felt that I would be the best person to assess risks and controls and recommend solutions for weaknesses. I wanted to be a part of the solution and not part of the problem."
What Skills Do Prospective IT Auditors Need?
Regardless of what causes a professional to enter the field, he or she should have certain characteristics important to a successful IT audit career. An IT auditor should have IT, financial, and operational audit experience, according to Reinhard. He sums up these qualifications by saying, "The ideal IT auditor should be able to discuss IP routing with the network folks in one hour and financial statement disclosures with the controller in the next." And, as with all audit positions, communication and other soft skills are crucial as well. Reinhard presents the following as a general list of attributes:
- Basic audit skills. Basic audit certifications are needed, including the Certified Public Accountant or Certified Internal Auditor designations.
- Desire to understand technology. A genuine interest in all things technical usually preceded a decision to go into IT auditing.
- Educational background in computer science or related field. The growing complexity and vulnerabilities of computer networks requires that all auditors have some degree of technical expertise. Price explains, "I used to recruit IT personnel, including programmers, IT department managers, etc., who became very good IT auditors. If they had ITIL [IT Infrastructure Library] skills or something similar, that helped, but in my mind, was not essential."
- Communication skills. Many internal auditors, and especially IT auditors, lack good communication skills, according to Davis. "IT auditors need to remember their geek-speak, but also brush up on their business argot. IT auditors need to speak the language of all your stakeholders so they can translate complex technical problems into quantifiable business decisions."
- Ability and willingness to train others in general IT audit skills. Because much of what IT auditors learn is through on the job training, IT auditors must be able to train coworkers and subordinates in the fast-paced environment of IT auditing.
- The ability to understand new technologies in a short-time period. With the meteoric rise in new technologies, coupled with the increasing sophistication of hackers, IT auditors must be able to stay on top of the most current trends.
What Certifications Do IT Auditors Need?
Once an auditor has decided to pursue a career in IT auditing, he or she must choose from a wide range of ever-evolving technology skills and certifications. Even an auditor with extensive experience will most likely need certifications to back up that knowledge, according to Prentice. Below are some of the more general certifications:
- Certified Information Systems Auditor (CISA): ISACA's globally recognized cornerstone certification for IS, audit, control, assurance, and security professionals who control, monitor, and assess an organization's information technology and business systems. This is considered the current industry standard for IT auditors.
- Certified Information Systems Security Professional (CISSP): An independent information security certification governed by the International Information Systems Security Certification Consortium, also known as ISC², which provides security training to information assets.
- Certified Information Security Manager (CISM): ISACA's certification program for those who manage, design, oversee, or assess an enterprise's information security.
- Microsoft Certified Systems Engineer (MCSE): Microsoft's certification in designing and implementing infrastructure based on Microsoft Windows 2000 platform and Windows Server System.
Price adds that IT auditing also demands an area of expertise within an overall framework. "My overall framework is ISO 27001 and ISO 27002 [formerly ISO 17799]. My specialty, apart from detailed data investigation, is management of information security. Others may have network and communication skills or be specialists with penetration testing, for example." Likewise, Prentice obtained a Certified Fraud Examiner (CFE) certification to give him credibility in his area of concentration — fraud and forensics.
Reinhard emphasizes the business aspect of internal auditing: "IT auditors, like any other auditor, should have a sufficient understanding of the business, financial, and operational controls to be able to add value in a system development project. The idea is that the IT auditor has a general understanding of all aspects of a development review so that they know when to call in the financial or operational audit experts."
With new and updated certifications being developed to match the growth of technology on the whole, IT auditors would be wise to seek more than standard training, according to Davis. "Auditors should look outside the box and focus on governance, compliance, forensics, and project management." Following is an additional list of certifications that can enhance an IT auditor's core qualifications:
- Certified in the Governance of Enterprise IT (CGEIT): ISACA's certification developed for professionals who have a significant management, advisory, or assurance role relating to the governance of IT.
- ITIL Certification: Certification is ITIL represents knowledge in a comprehensive set of management procedures with which an organization can manage its IT service operations. ITIL is based on documents originally created by the UK Office of Government Commerce.
- Certified Security Compliance Specialist (CSCS): The U.S. Health Insurance Portability and Accountability Act's certification, which requires a comprehensive treatment of major information security regulations and standards.
- Certified Fraud Examiner (CFE): A designation awarded by the Association of Certified Fraud Examiners that denotes expertise in fraud prevention, detection, deterrence, and investigation.
- Project Management Professional Credential (PMP): Offered by the Project Management Institute for professionals who manage multiple-related projects that are aligned with an organization's strategy.
- Projects in Controlled Environments Certification (PRINCE2): A process-based method for effective project management and the de facto standard used extensively by the UK government and other countries around the world.
How can IT Auditors Stay Up-To-Date?
Once the proper certifications and training are in order, the greatest challenge becomes staying on top of the influx of data that continues to flood all areas of IT. In addition to receiving training in designated specialties, auditors can follow trends in IT auditing by:
- Participating and networking with other IT auditors through local Institute of Internal Auditors and ISACA chapters.
- Subscribing to and reading IT audit journals and publications, including ITAudit and GTAG.
- Participating in listservs by reviewing communications and asking questions.
- Attending conferences and seminars in IT and other audit areas.
- Tapping their IT organization for training; for new or acquired technologies, vendor training is often available.
Most important, IT auditors need to adopt a philosophy of continuous lifelong learning, according to Davis. "Take any and all opportunities to learn, such as joining a mailing list and listening to a webinar or podcast, and it wouldn't hurt to open a book visit a Web page once in a while and study a subject," he says. Surat agrees: "Keeping up-to-date can be achieved by self-study in ever-evolving technologies, benchmarking with other companies, leveraging Internet audit resources, and networking with other IT auditors."
What Does the Future Hold?
With all of the complex legislation being passed and new technologies being discovered, the future of IT auditing looks bright, if not blinding. Prentice predicts that although some auditors might find the subject matter a little dry, compliance with regulations and legislation is sure to be a booming area for IT auditing.
In terms of specific technology trends, Surat and Davis believe that voice over Internet protocol (VoIP) issues will play a major role in IT audit's future. According to Surat, "Voice and data communications is moving to a VoIP solution, which has many inherent financial, data privacy, and network configuration-related risks. Also, management of the end-to-end software life cycle seems to be a common issue, and with the availability of freeware and downloadable software, best practices and total assurance of the environment can result in control and vendor management issues."
Davis throws wireless into the mix as well: "If you thought wireless was bad to date, you haven't seen anything yet. Put wireless together with VoIP, and you have some real audit challenges."
Reinhard sums up his positions by stating: "IT auditors can take advantage of opportunities, especially if they are willing to go beyond an IT audit base and understand the business environment. The most value for an audit department is for the IT auditor to remain up-to-date on the technologies proposed or used by his or her business."
While all interviewees agreed that IT governance, compliance, and risk management would be the cornerstone of future IT audit opportunities, regardless of what the future brings, one thing seems guaranteed — with the assured growth of technology, those who choose careers in IT auditing will have unlimited potential.