Here’s my list of the top 10 reasons to be an IT auditor:
10. You have access to all systems, data, and people (with a business reason, of course). Employees rarely ignore you.
9. You can uncover fraud, mischief, ignorance, and just plain laziness. Either way, you “add value to the business” (yeah, I hate that term too, but it is what audit is about, and so appropriate).
8. You can work hand-in-hand with security to raise risk awareness.
7. You get a broad overview of all company operations and get to know people in all departments. That helps you know whether you want to stay with that company or whether to leave it before it implodes. If you choose to stay, all those contacts will be valuable in advancing into other areas of the company.
6. Sometimes your work enables IT to get the funding that it needs, which it hasn’t been able to get on its own.
5. You get to do some cool data analytics to discover misconfigurations, anomalies, trends, and more.
4. You can cross pollinate ideas from one area of the company to another (or one division to another).
3. You are able to constantly learn about technology without having to implement and support it. And when you identify problems, you get to provide guidance on how to fix them, but you don’t have to fix them.
2. You work with technology all day, but when you go home, your work doesn’t follow you. No phone calls at 2 a.m. for support.
1. It usually pays better than financial auditing!
I admit that most of these apply to financial or operations auditors also. But I think the last 3 reasons really make IT audit stand out.
What are your reasons? Or why are you glad that you’re NOT an IT auditor or any kind of auditor?
See also:
ITauditSecurity 
I was an IT auditor 1 year and 3 months, and during that time I got some really good exposure to different business areas within a financial institution, thus I would support no. 7 on the list as my prime reason for being an IT auditor.
The drawback of being auditor is that you have a very little room to make a mistake, one has to be right on the dot with analysis, issues and recommendations. Because people are more than ready to point a finger at audit for being unaware of product functionalities, day to day operations and etc. The credibility is at stake for an auditor more than it is for any other role in a organizations.
Just a personal opinion.
LikeLiked by 1 person
#7? Interesting. I can understand that, but it surprises me. #6 on down are my big drivers. But I am glad you highlight that aspect for our readers.
I hear you on the drawback. It’s tough when you audit a new area – you have little time to learn all you can about it, and meanwhile, you get to convince the experts in that area that they need to start doing X and improve how they are doing Y and Z.
New areas or not, you’re right, you can’t make too many mistakes. I’ve found that when you do, admitting it and doing what you can to make it right can smooth things over. It also helps to be right on a few big things occasionally. The key to both is to do your homework, audit carefully, and recheck everything, especially findings, before you bark. And never surprise auditees. It’s a tough job, especially when your manager has a tight grip on the hours you charge each audit.
LikeLike
I know a CIA who used to say “in an audit you don’t make any mistakes, if you do then stick to it and do everything and anything to stand by it fight it”. Now this is more or less from a political point of view.
LikeLike
I can’t see any reason to do that other than to save face or your job. Everyone makes mistakes, and if you admit it, fix it, and apologize, everyone should be able to move on, provided you don’t make repeated mistakes. To fight for a falsehood, misunderstanding, or outright error is flat wrong and a violation of ethics of any reputable certification, including CIA or CISA.
I made a serious mistake in my career years back, and while it wasn’t easy to own up to, I’m still glad I did it, in spite of the serious consequences. It’s behind me now, and I never have to worry about being “found out”. I also learned a lot from that mistake.
Covering up mistakes is not only unethical, but immoral. I’d rather see my maker with a clear conscience.
LikeLike
I think his message was more less that don’t make mistakes, period.
Like I said it was more or less from a political point of view, since it was a heavily political environment. People were ready to point fingers at audit in no time, and one reason for this could be that audit was doing an excellent job bringing very valuable issues to the table.
LikeLike
Pingback: Audit fees bouncing back in the USA. Will Europe follow? « Quoracy.com
Regarding point 10. As you rightly note, you will not get carte blanche access to all systems. For the FTSE firms I’ve worked for, there’s often some very price sensitive information kicking about on the network or some system. Even for your pretty eyes, you won’t get near it without a damn good reason.
LikeLike
Yep. But the more sensitive the data is, and the fewer people that have access to it, the more the need for an occasional audit of it. Fraudsters love secrets!
LikeLike
Interesting and fair list. I sent a link to your post to our IT audit team. Asked them to see how this list aligns with what they like about IT audit – and if the list matches how we describe the merits of the function to the new staff and interns we routinely recruit.
LikeLike
Chase,
Thanks. Please let me know how they respond, or encourage them to come and comment themselves.
I’m also interested if your team uses ACL Acerno. See my post on that topic.
LikeLike
I work for an audit firm so #2 it isn’t true all the time. My main reason is #1 though I am still waiting for the payoff. For an audit firm IT audit work is not as intensive as financial audit.
LikeLike
Geebie,
I’d be interested in what kind of #2 you get. Care to share?
By audit firm, you mean you audit other companies; you’re not an internal auditor for 1 company?
If so, #1 will come when you go to internal audit.
How many years have you been doing IT audit?
Thanks for your input.
LikeLike
Pingback: 2014 Top Paying Certs (United States) | ITauditSecurity
Pingback: Some of my Favorites | ITauditSecurity
I am a financial auditor for sometime before who went into IT audit. Currently, I am lacking in IT skills. Had a tough time gaining knowledge about IT. The reason i joined is the working hours as compared to the financial auditors. I am having a tough time understanding IT stuffs like High Availability and how SAP/ERP system works. I am considered IT savvy among my peers, but when comes to system I am basically an idiot. Any Idea how do i improve? My boss ain’t going to give much time for me to learn. He has already threaten to fire me. Anyone who switches from financial audit to IT audit too?
I am so depressed.
LikeLike
Arnold,
The chief struggle for any IT auditor is the constant learning that it requires, which few others understand or appreciate. Because technology constantly changes, it’s tough to keep up, especially when IT isn’t your first language.
The positive part is that you realize your shortcomings and need help. A lot of folks blame problems on their auditees or their bosses, which doesn’t help. Some people never look inside themselves, so you’re ahead of a lot of people in that respect.
So here’s some suggestions;
1) You didn’t mention what part of SAP you don’t understand. I audited it here and there for a couple months, and it’s a tough system, huge, and complicated. So don’t feel too bad about that. I certainly never mastered it by any means. I would suggest that you look for some free online sources that can help you understand SAP. More on this below…
2) I’m not sure what kind of relationship you have with your boss, but if you think it would be helpful, talk to him or her. Tell her that you want to improve, explain how you plan to do it (after you’re thought it out and have a plan), and ask for suggestions.
3) You could contact one of the people in your company that run SAP and ask them for any resources available to the company that you might be able to use (some companies contract with services that provide free training on a variety of subjects). Also ask your SAP person for any free resources they would recommend to you.
4) You didn’t mention whether you have read through the CISA book. Well worth the investment, and I’d encourage you to take the exam. See my ‘CISA’ link at the top right of this page under Quick Links. I’d pursue the CISA as soon as you get the chance.
Regarding free SAP resources, they are out there. Here’s one I found, which I reviewed a little, and it looks okay. I’m not affiliated with it, don’t know anyone who has used it, so proceed carefully. There’s a lot of scams out there.
The site is http://www.guru99.com/sap-training-hub.html and I clicked through a couple pages of the first lesson, which didn’t require me to register. I also searched for scams related to this site and found this site that appears to say the guru99 site is legit — see http://www.scamvoid.com/check/guru99.com . Again, this is NOT an endorsement, just a suggestion, so proceed cautiously.
Hope that helps. Mack
LikeLiked by 1 person
Thank you for the advise. I pretty much ask lots of questions to my clients on every job, Some clients can easily sense that i am a newbie, which its quite bad. I have purchased the CISA review manual and has been reading it regularly when i do my audit work.
thanks again. your site is very useful for new IT auditors like me.
LikeLike
Pingback: What IT Auditors Ought to Know – and Don’t! | ITauditSecurity
Pingback: New IT Auditors Should Start Here | ITauditSecurity
Pingback: Top 10 Reasons Why Being an IT Auditor is So Hard | ITauditSecurity
Pingback: New IT Auditor (and WannaBEs) Master List | ITauditSecurity