How to get an IT Audit job with little or no experience

I get asked all the time, “How do I get a job in IT audit with little or no experience?”

When Michael Onuoha asked me this question (see here), I thought I’d share my response with my readers.

You’ll find these same answers scattered around the blog as I answered people in the past, but I thought I’d pull it all together into one place.

Breaking into any field can be difficult, but it can be done. Especially when the demand for IT auditors is so high.

Here’s my suggestions:

First, if you don’t have a current job, skip to #3. Otherwise, start with #1.

1 – Talk to the auditors in your current company

If you are currently working at a company that has IT auditors, ask the people you know and interact with on a daily basis who can introduce you to the IT auditors.

A little known secret is that most people love to be asked their opinion (ahem) and help others. Tell those auditors about your aspirations, and ask them whether they see any opportunities for you in the near future.

Either way, ask them what you can do to increase your chances of becoming an IT auditor at your company, or another company.

Companies often hire internal people rather than external people; they are less risky. And when companies hire inexperienced people, they are even MORE likely to hire internal.

BONUS: If possible, see if one of the IT auditors is willing to meet for lunch once a month and share his/her audit experiences.

2 – Ask for related opportunities

Again, where you work now, look for projects that give you the experience you need. Talk to your manager and director, and ask whether any upcoming projects have IT, audit, security, or compliance components. Make it known you’d like to work on those kinds of projects.

BONUS: Don’t overlook opportunities in employee resource groups, company events, and the like to gain experience and/or meet key people.

3 – Look for volunteer work

If you don’t have a job or your current job doesn’t offer any or enough opportunities, look for non-profits, churches, colleges, universities, or small businesses that might need IT, audit, security, or compliance help.*

Talk to everyone you know, including people at the grocery store and dentist. Also contact your local colleges and universities for leads.

You are not looking for the perfect experience that will land you your dream IT audit job; you are looking for any experience that will move you forward.

This will allow you, in the future, to explain to a prospective IT audit manager how eager you are to learn, serve others, and work toward your goals. You don’t just sit around and wait for luck to strike.

*I’ve helped support the network and do computer troubleshooting at 2 former churches, and at one church, I was also in charge of maintenance. I learned about building codes, fire codes, city regulations, and had to meet with city personnel and vendors to bring things into compliance. You think that was helpful in my career?

4 – Pass the CISA exam

As soon as you are sure that you want to pursue IT auditing, study for and pass for the CISA.

If you are really serious about an IT audit career, I’d tackle the CISA first, as it will take a few months at least. And while you study, you can look for opportunities and gain whatever experience you can find.

You won’t be able to get the certification itself until you have all the experience, but again, passing the exam tells hiring managers that you are serious and ambitious.

The reason I don’t list this step first is because it is a bigger investment than the previous steps.

As you study for this exam, it will help you understand where your knowledge is the weakest, and where you need to spend the most time learning.

5 – Take advantage of free classes and learning on the ‘Net

The Internet is full of free resources, like this blog. Especially review  the websites at ISACA and IIA , as both have some free information about IT auditing and auditing in general. For example, I highlight some free resources for security and CISSP training in Teach Yourself Security.

I am NOT saying you have to get the CISSP certification–you don’t–I am just showing you an example of the type of free info that’s out there. You just need to go get it.

BONUS: Don’t forget to ask the audit, security, and compliance professionals in your company what free resources THEY rely on.

6 – Apply for an IT Audit position at a large company

Because a shortage of GOOD IT Auditors seems to be the new normal, if you have any experience in IT, audit, compliance, privacy, security, technical writing, or project management, apply anyway.

Stress how the experience you DO HAVE will help you learn IT audit quickly. Even if you don’t meet most of the qualification, apply anyway, as you might just be the most qualified person that applied.

Why do I suggest this?

In one large company I recently contracted at for over 4 years, I watched them hire 5 IT auditors. Not one of them was qualified as an IT auditor!

Two of them had IT experience (help desk, IT project management, IT operations management), one was a financial analyst, one was a privacy compliance person, and one was fresh out of college with absolutely NO experience of any kind that even leaned toward IT auditing.

And not one of them had any audit experience! But all of them but the college grad had worked successfully in other areas of the company (see #1 above).

So why do companies hire these kinds of people? For 2 main reasons: all the experienced IT auditors are already working, and the companies are NOT willing to pay high enough salaries.

So emphasize the skills you have, apply for the positions, and don’t expect great pay, at least to start.

But remember that this works best at larger companies with at least 10 auditors, because they have the resources to train a new IT auditor.

On the other hand, small companies that need only 1 or 2 IT auditors can’t afford to hire inexperienced people.

BONUS: To determine how many auditors a company has, search LinkedIn or call the company and ask.

7 -Take any job at your target company

Sometimes it helps to get a foot in the door at a company where you want to work, and then move into IT audit (see #1).

Get hired at your target company doing whatever you already know how to do, and do a great job at it. While you’re waiting for your opportunity to move into IT audit, learn the business, the people, and the culture.

8 – Apply for a job at the Big 4. 

For those who don’t know what the Big 4 is, it’s the 4 largest accounting and auditing firms: Deloitte Touche Tohmatsu, Ernst & Young, KPMG, and PricewaterhouseCoopers.

I have never worked for the Big 4, but they sometimes take on inexperienced people or college grads and turn them into auditors.

From what I’ve been told personally (and you read it all over the ‘net), it’s a hard grind, you work a ton of hours, and you travel a lot, and the pay isn’t great. But if you can last 2 years there, you will have learned enough about IT audit to get a better job. Having the Big 4 on your resume is a bonus to employers.

I don’t recommend it unless you have exhausted all other options AND you still want to work as an IT auditor.

The Bottom Line

If you like technology and at least have a strong interest in computers and computer systems, you CAN do this if you’re willing to put in the effort. Ask people to help you, search and read the net, read certification books, and most of all, believe in yourself and keep pushing forward!

Your turn

Let me know what ideas you have, what you think of these suggestions, and whether you have any questions.

Other info

Here’s a couple links that you might find helpful.

IIA – Path to IT Audit

Become a Info Systems Auditor (video) – a bit on the humorous side

New IT Auditors Should Start Here (list of good IT audit posts on this blog)



Filed under Audit, Certification, Employment, How to..., Technology

14 responses to “How to get an IT Audit job with little or no experience

  1. Pingback: How to get an IT Audit job with little or no experience – Cyber Security

  2. Good advice, ITAUDITSECURITY. There’s more along these lines in my IT audit FAQ at


    • Gary,
      Wow, I thought some of my posts were long!
      I’ll read through it eventually and let you know what I think. At this point, I also bounced through it, and I’m wondering which parts are mostly humor and which parts are all humor. I’m sure a good read will solve the issue.


  3. Audit Monkey

    I may have mentioned this before but there are two types of IT Auditors, those with an IT background and those without! (As detailed in point 6). It is becoming increasingly noticeable that clients (especially in the B4 and Consultancy World), are no longer prepared to settle for those who have made good and want true professionals. In short, why should the clients pay for second best. Continuing the issue raised in point 6, what level of assurance can the inadequately skilled, experienced and unqualified professional provide?


    • Always good to get a rise out of you, Audit Monkey.

      You are assuming IT auditors with an IT background are good IT auditors; while it is more likely, it is not always true.

      You and I have crossed swords a few times over inexperienced auditors and how they can contribute to the cause….

      First of all, that’s why the IIA requires audit supervision. For newbies and oldies who get lazy or miss a few things here and there. Now, before you strike back, I’ll admit that adequate supervision is not always present, due to laziness, or IT audit work supervised by a manager who only knows Operations and Finance. It happens, but it is not according to audit standards. So I lay that fault at the manager’s feet, not the newbie IT auditor’s.

      Second, did not the great Monkey himself once upon a time eat only green bananas? Or were you an audit expert from Genesis 1:1? Allow your fellow auditors to wear a fig leaf or two to cover their newbie-ness.

      Third, I’ve always said it is more important to know how to audit than it is to understand IT processes. Give me a good auditor who doesn’t know IT and she’ll do a better job than a good IT guy who doesn’t understand audit. Of course, to be good, you have to know both. IT auditors often have to learn both together, unfortunately, and struggle with both.

      Fourth, you don’t always know what you need to know to audit something. You have to learn it first, then audit it, then explain it to the experts. A good IT auditor doesn’t need to know everything or even close; she just needs to understand the basics, be able to learn new concepts fast, understand how to test it, be able to pull needed knowledge and impact from the auditee’s brain, and put it all together into a reasonable test that is well documented.

      Having said that, I agree that high prices are paid for poor work. Yes, IT auditors are not that great, and things are getting worse. Yes, the B4 is the worst, which is why I suggested trying them for a job. :)


  4. Michael

    Hi ITAuditSecurity,
    Thanks for posting this. Was really informative and helpful.
    Thus far, i have self studied, Joined ISACA, did a non-paying internship with no promise of retention.I am currently studying to take my CISA in May.

    In the past 2 mths, I’ve applied to several companies. Very few advertise Junior positions. Only senior. Those that do advertise Junior or internship positions, are looking for only currently enrolled college students.

    I’ve been fortunate enough to have 3 different interviews. One went as far as inviting me to their Corporate HQ where i interviewed for several hrs. All the interviews went well. However at the end, i get told that they wished i had more experience.

    I am yet to see a big 4 job posting for IT Auditors. Most only want internal auditors with an accounting background which i dont have.

    The only options i am currently considering are:
    1) Passing the CISA and hoping that somehow convinces them to take a chance on me.
    2) Going for a masters with a concentration in IT Audit or Info Sec and hoping to land an internship with a good firm. (Not my best option due to the cost and time)
    3) Try to land a volunteer/shadow an IT Auditor or another internship with a firm. However i’ve searched craigslist, angieslist and several job boards but cant find anything for IT Auditors. Probably you could advice on how i could go about this better.

    Look forward to your opinion on all this. Thanks in advance.


    • If I can chip-in here, well done Michael for all that you have done so far. Your CISA and internship demonstrate initiative and commitment, both valuable characteristics.

      You didn’t mention your background, though, so I wonder about your experience/expertise in the general area of IT audit – IT, information security, compliance, risk, control and related aspects (essentially the same scope as CISA). Personally, I learnt the ropes in IT and information security prior to even considering an IT audit role, and would have struggled as an auditor without that formative background. Have you considered starting in IT, for instance? IT jobs are probably easier to come by than IT audit jobs for newcomers to the field, although even there the entry point may involve IT degrees and similar qualifications.

      Another suggestion is to actively invest in building your professional social network, including trustworthy, competent recruiters in the field (quite rare in my experience, but tremendously valuable when you find good ones!). How about groups such as ISACA and ISSA that have local chapters, meetings and conferences? And what about all the online social forums these days? Aside from learning stuff from your peers, you can also pick up opportunities and tips about landing jobs, for example is your CV or resume in good shape? Does it properly express your strengths and interests, including your obvious initiative and drive?

      Good luck!


      • Gary,
        Thank you for chipping in. I’m always for that. The door is always open, and it makes the community better.

        I agree with your suggestions.

        I agree with Gary in your efforts so far. You’re on the right track, don’t give up. Kudos for your hard work so far; don’t give up that it hasn’t landed you a job. I’m sure you’ve learned a few things so far, met new people, and are that much closer to realizing your goal.

        Also, like Gary said, it would help if we knew more about your background.

        I would definitely pursue the CISA. I would not go for a Masters unless you have the time and the money. And when you get a job doing IT audit, get your company to pay for your masters.

        I also like your option 3. Keep trying and keep studying.

        I did not hear you say you have talked to everyone you know. Dentist, doctor, grocery store checkout person, literally everyone. Craft an elevator speech (Google it if you’re not familar) and practice it; that’s what you talk to everyone about. Ask them if they know anyone in that field or SOMEONE that know someone in that field; also ask about internships or volunteer work.

        Since you’re an ISACA member, talk to your chapter leadership (prez, VP, treasurer, committee heads, everyone, and ask for help. Volunteer to help set up chapter meetings and join a committee if you can. That will help with your networking.

        Another networking idea. If you’re not on Linkedin, join it. And join IT, audit, and security groups at that site.

        Keep the conversation going….I’m sure Gary will chime in again too.


        • Michael

          Hi Mack,
          Excellent Advice. I am yet to talk to any of the ISACA chapter leadership. Just joined 2 months ago and have only been to one of the monthly meetings thus far. I intend to attend the next one and i will definitely try meeting someone. I will also google the perfect elevator speech to start using.
          I have started focusing more the past week on utilizing my network and asking everyone and anyone i know for a referral.

          I am on linkedin, thus far it has helped some. Will look to join more IT Audit groups on there.

          Thanks guys for the advice thus far. Really encouraging.


      • Michael

        Hi Gary, Thanks for your suggestions. Plus i found your blog very informative.

        As far as my background, I have a degree in computer information systems. Know Java, C++, Proficient with Excel (V-lookups). Spent the last decade working in the telecoms field. Nothing particularly related to IT audit but have between my degree, the IT Audit coursework and internship i have done, I feel comfortable holding any junior level IT Audit position.

        The only reason why i haven’t considered getting another IT related job is because is because i felt it might derail my focus from getting into Audit. Plus i’m in my mid 30s and so dont feel i can start from the bottom of helpdesk and start working my way up.

        I am still on the hunt for a good recruiter. Most I have tried have expressed concern about recommending me for a contract job without years of experience under my belt.

        My resume and linkedin are good. I actually paid quite alot to get them professional done crafting my bullet points from IT Audit projects ive worked on.


        • Hello again Michael. If you mentioned ‘contract job’ before, I missed it, sorry. That does change things a bit: contractors and consultants are generally expected to hit the ground running. You might be better off searching for a permanent role with an organization that is prepared to train you (or at least give you the slack to learn the ropes), ideally one with a supportive audit function that is into mentoring and supporting staff development (most are). You clearly have a strong IT background, on top of the initiative and interest, so with your pro resume and positive attitude it’s just a matter of finding the right match.

          Good luck mate!

          PS Any chance of you posting an update here in a few months? What did/didn’t work best for you? What else did you learn about the IT audit recruitment market? Do you owe us a beer, or do we owe you one?!


  5. Pingback: Audit Management Sometimes Sucks | ITauditSecurity

Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s