If you’re an IT auditor, how do you describe your job to those who don’t understand technology or auditing? Even more interesting, how do others describe your activities?
Here’s what I say, but I’m not satisfied with it:
I review computer systems and networks to determine whether they are secure and that access to those systems is limited to the appropriate people.
I review the policies and procedures that describe how those systems are used and determine whether those documents make sense, are up-t0-date, and are followed.
I also determine whether business processes meet the requirements of government regulations.
Of course, that’s far from complete, rather dry, and boring. If you’re an IT auditor, what do you tell people, and what reaction do you get?
Usually, the person I’m talking to changes the subject quickly. Once in a while, they ask me about security or how to deal with a problem they’re having on their home network.
Let me know how you handle this… You’ve got to have a better way of putting it.
Here’s what I’d like to say:
I ask IT staff and management questions for which I often already know the answers. I then obtain screenshots and other evidence to prove they’re really lying or incredibly naive.
I help overly confident techies understand that they sometimes make mistakes, are more lazy than they’re willing to admit, and a couple ways exist to sneak a peek at data they insisted was secure.
In addition, I help IT identify time-consuming practices that they don’t need and don’t mitigate any risk.
Finally, I help IT get funding for projects they really need to implement because IT can’t figure out how to put the problem in business language that even a CFO can understand.
What words would you LIKE to use when explaining your worth to others?
Here’s how IT would probably describe my job:
An IT auditor asks questions about systems he doesn’t understand while hoping he’ll find something he can use to pin my backside to the wall.
He criticizes our department for not creating procedures for things we don’t care about and seldom do. He keeps me from doing my real job and the things I could do to earn an extra bonus.
Overall, he spends a lot of time describing all our faults in the worst possible light, forgetting that after dealing with all the daily demands, I go home only to get called back into work in the wee hours of the morning to solve one crisis* after another.
* Which of course, are often caused by items documented in previous audits year over year, which IT management and senior management have ignored.
Okay, I know that was snarky. I’ve met a lot of good IT people out there who really know what they are doing, why, and do it well. Many of them really appreciate what internal audit provides them.
So what’s your experience? Leave me a comment.
———-Updated———
These days, when asked what I do for a living, I say, “I analyze data.” Only a few people take the conversation beyond that. And that’s fine with me.
ITauditSecurity 
My kids have asked this so many times. Ironically they are at the same level as most of the other people that ask the question. I usually introduce it with something similar to this.
“I evaluate the reasonability of the trust placed on the computer systems the company uses. Those systems encompass a lot of technology. While the technology itself is very important, often my focus isn’t exactly the technology but the processes management uses to ensure the trustworthiness for themselves. If they are not monitoring and managing it for themselves, it is likely less trustworthy.”
Something like this usually starts the conversation that allows me delve into the details that the audience is interested in. “Do you look at firewall? Yes, What about …”
LikeLike
John,
Thanks for your input.
It’s a hard thing to explain even to interested people. If someone is just asking to be polite, I usually just say, I check to see whether people do their jobs properly.
Doesn’t get any higher level than that.
LikeLike
I usually just tell people I’m a shrink. I hear developers complain hour after hour on how they really need access to production not just read but also write. I would then spin them around while they are sitting in their cubicle hypnotizing them and once on a trance state, I counsel then ‘convincingly’ that surely they do not need write access. After I snap them out of trance state, I usually wrap it up by asking “how does that make you feel”
I then move on saying that I’m also a career coach guiding staff on how not to screw up their careers by just coasting and being slackers. Magically, I’m also a mind reader. I diagnose the true use of technology rather than what the auditee perceived how the technology and security layer thought it was working.
I’m also a referee between the CIO and external auditors. This is when it gets serious, and I pull out the couch and wear my ‘true’ shrink hat. I try to break down on what the external auditors are saying in some new foreign language that the CIO will of course understand. I sometimes find myself being a shrink of my own demise.
Oh ok So I say IT Auditor. First reaction i get, can you audit my wifi and oh man I need to update my anti virus at home. I tried replying to this spam person, and I never got something back. Ok so what is it that you really do? That’s when I usually say, if you haven’t read about our company on the front page of the news, that’s what I do.
LikeLike
Yo,
I like all of your replies. Especially the last one.:)
It’s a tough job, no doubt, especially when you doing tedious checking of detail upon detail…
LikeLike
I am not an IT auditor, not yet.
My answer will be as follows if I am asked what an IT auditor does:
A job of IT auditor is all about one single word – control. There are two groups of activities in any organization, management and governance. Management includes activities such as planning and organizing with limited resources to accomplish organizational goals , which are established through governance activities. Governance not only sets goals but also develop and monitor controls to make sure management activities aligned with the goals. An IT auditor will check the existence and effectiveness of those controls. He will also provide advice for improvement if necessary.
In short, an IT auditor makes sure IT people are doing right things in right ways.
LikeLike
And for the right reasons. Well put.
LikeLike
Right Reasons -> Goal Alignment Control
Right Things -> Controls Compliance
Right Ways -> Effectiveness of Controls
LikeLiked by 1 person
Right on!
LikeLike
My wife has a pretty dynamite way of describing my job:
“My husband is sort of like an IT Detective. He helps find issues, prevents hackers from getting into the systems and tests computer systems for weaknesses.”
My boss also does a great job of describing what we do:
“We are subject matter experts in the area of IT management, cyber security and Information Assurance. We review and test the controls and processes of an organization to determine their operating effectiveness in order to help our clients gain assurance that their control framework complies with the various organizational policies and compliance requirements relevant to the company.”
My wife thinks of me more as a cop on the beat. My boss likes to sell us as business consultants and advisers. I think both assessments are valid.
LikeLike
Shane,
Always good to see you poke your massive brain around the corner.
My wife can’t describe my job very well; she’d probably say, “It’s complicated, and has soemthing to do with data, IT, and security. He loves it.”
i think a real simple, but somewhat lacking description is, “I check other people’s work.” That leaves out the IT stuff and that we also make recommendations to improve efficiency, but it’s simple. Most people who ask me about my work don’t care much beyond that.
skyyler says when people ask him, he says he ‘analyzes data’ (he does mostly data analytics). He seldoms gets questions after he says that.
LikeLike
No one is going to comment on the appropriateness or disrespectfulness or other opinion of the graphic that goes with this post?
I really thot I get a few comments on that…
My artistic advisor hates my graphics; she rolls her eyes constantly, but I cannot get her to create anything for me. The life of a starving blogger.
LikeLike
I didnt even realize the gun shot wounds of the desktop/server/computer/386 processor. Guess it deserves a drive by audit.
LikeLiked by 1 person
Get paid alot of money, especially given the demand in London at the moment.
LikeLike
Pingback: New IT Auditors Should Start Here | ITauditSecurity
Pingback: New IT Auditor (and WannaBEs) Master List | ITauditSecurity