How to get an IT Audit job with little or no experience

I get asked all the time, “How do I get a job in IT audit with little or no experience?”

When Michael Onuoha asked me this question (see here), I thought I’d share my response with my readers.

You’ll find these same answers scattered around the blog as I answered people in the past, but I thought I’d pull it all together into one place.

Breaking into any field can be difficult, but it can be done. Especially when the demand for IT auditors is so high.

Here’s my suggestions:

First, if you don’t have a current job, skip to #3. Otherwise, start with #1.

1 – Talk to the auditors in your current company

If you are currently working at a company that has IT auditors, ask the people you know and interact with on a daily basis who can introduce you to the IT auditors.

A little known secret is that most people love to be asked their opinion (ahem) and help others. Tell those auditors about your aspirations, and ask them whether they see any opportunities for you in the near future.

Either way, ask them what you can do to increase your chances of becoming an IT auditor at your company, or another company.

Companies often hire internal people rather than external people; they are less risky. And when companies hire inexperienced people, they are even MORE likely to hire internal.

BONUS: If possible, see if one of the IT auditors is willing to meet for lunch once a month and share his/her audit experiences.

2 – Ask for related opportunities

Again, where you work now, look for projects that give you the experience you need. Talk to your manager and director, and ask whether any upcoming projects have IT, audit, security, or compliance components. Make it known you’d like to work on those kinds of projects.

BONUS: Don’t overlook opportunities in employee resource groups, company events, and the like to gain experience and/or meet key people.

3 – Look for volunteer work

If you don’t have a job or your current job doesn’t offer any or enough opportunities, look for non-profits, churches, colleges, universities, or small businesses that might need IT, audit, security, or compliance help.*

Talk to everyone you know, including people at the grocery store and dentist. Also contact your local colleges and universities for leads.

You are not looking for the perfect experience that will land you your dream IT audit job; you are looking for any experience that will move you forward.

This will allow you, in the future, to explain to a prospective IT audit manager how eager you are to learn, serve others, and work toward your goals. You don’t just sit around and wait for luck to strike.

*I’ve helped support the network and do computer troubleshooting at 2 former churches, and at one church, I was also in charge of maintenance. I learned about building codes, fire codes, city regulations, and had to meet with city personnel and vendors to bring things into compliance. You think that was helpful in my career?

4 – Pass the CISA exam

As soon as you are sure that you want to pursue IT auditing, study for and pass for the CISA.

If you are really serious about an IT audit career, I’d tackle the CISA first, as it will take a few months at least. And while you study, you can look for opportunities and gain whatever experience you can find.

You won’t be able to get the certification itself until you have all the experience, but again, passing the exam tells hiring managers that you are serious and ambitious.

The reason I don’t list this step first is because it is a bigger investment than the previous steps.

As you study for this exam, it will help you understand where your knowledge is the weakest, and where you need to spend the most time learning.

5 – Take advantage of free classes and learning on the ‘Net

The Internet is full of free resources, like this blog. Especially review  the websites at ISACA and IIA , as both have some free information about IT auditing and auditing in general. For example, I highlight some free resources for security and CISSP training in Teach Yourself Security.

I am NOT saying you have to get the CISSP certification–you don’t–I am just showing you an example of the type of free info that’s out there. You just need to go get it.

BONUS: Don’t forget to ask the audit, security, and compliance professionals in your company what free resources THEY rely on.

6 – Apply for an IT Audit position at a large company

Because a shortage of GOOD IT Auditors seems to be the new normal, if you have any experience in IT, audit, compliance, privacy, security, technical writing, or project management, apply anyway.

Stress how the experience you DO HAVE will help you learn IT audit quickly. Even if you don’t meet most of the qualification, apply anyway, as you might just be the most qualified person that applied.

Why do I suggest this?

In one large company I recently contracted at for over 4 years, I watched them hire 5 IT auditors. Not one of them was qualified as an IT auditor!

Two of them had IT experience (help desk, IT project management, IT operations management), one was a financial analyst, one was a privacy compliance person, and one was fresh out of college with absolutely NO experience of any kind that even leaned toward IT auditing.

And not one of them had any audit experience! But all of them but the college grad had worked successfully in other areas of the company (see #1 above).

So why do companies hire these kinds of people? For 2 main reasons: all the experienced IT auditors are already working, and the companies are NOT willing to pay high enough salaries.

So emphasize the skills you have, apply for the positions, and don’t expect great pay, at least to start.

But remember that this works best at larger companies with at least 10 auditors, because they have the resources to train a new IT auditor.

On the other hand, small companies that need only 1 or 2 IT auditors can’t afford to hire inexperienced people.

BONUS: To determine how many auditors a company has, search LinkedIn or call the company and ask.

7 -Take any job at your target company

Sometimes it helps to get a foot in the door at a company where you want to work, and then move into IT audit (see #1).

Get hired at your target company doing whatever you already know how to do, and do a great job at it. While you’re waiting for your opportunity to move into IT audit, learn the business, the people, and the culture.

8 – Apply for a job at the Big 4. 

For those who don’t know what the Big 4 is, it’s the 4 largest accounting and auditing firms: Deloitte Touche Tohmatsu, Ernst & Young, KPMG, and PricewaterhouseCoopers.

I have never worked for the Big 4, but they sometimes take on inexperienced people or college grads and turn them into auditors.

From what I’ve been told personally (and you read it all over the ‘net), it’s a hard grind, you work a ton of hours, and you travel a lot, and the pay isn’t great. But if you can last 2 years there, you will have learned enough about IT audit to get a better job. Having the Big 4 on your resume is a bonus to employers.

I don’t recommend it unless you have exhausted all other options AND you still want to work as an IT auditor.

The Bottom Line

If you like technology and at least have a strong interest in computers and computer systems, you CAN do this if you’re willing to put in the effort. Ask people to help you, search and read the net, read certification books, and most of all, believe in yourself and keep pushing forward!

Your turn

Let me know what ideas you have, what you think of these suggestions, and whether you have any questions.

Other info

Here’s a couple links that you might find helpful.

IIA – Path to IT Audit

Become a Info Systems Auditor (video) – a bit on the humorous side

New IT Auditors Should Start Here (list of good IT audit posts on this blog)

Advertisements

26 Comments

Filed under Audit, Certification, Employment, How to..., Technology

26 responses to “How to get an IT Audit job with little or no experience

  1. Pingback: How to get an IT Audit job with little or no experience – Cyber Security

  2. Good advice, ITAUDITSECURITY. There’s more along these lines in my IT audit FAQ at http://www.isect.com/html/ca_faq.html

    Like

    • Gary,
      Wow, I thought some of my posts were long!
      I’ll read through it eventually and let you know what I think. At this point, I also bounced through it, and I’m wondering which parts are mostly humor and which parts are all humor. I’m sure a good read will solve the issue.

      For those of you looking for the section Gary mentioned about becoming an IT auditor, see the link in his post above, and search for “I think I want to become an IT auditor”.

      Like

  3. Audit Monkey

    I may have mentioned this before but there are two types of IT Auditors, those with an IT background and those without! (As detailed in point 6). It is becoming increasingly noticeable that clients (especially in the B4 and Consultancy World), are no longer prepared to settle for those who have made good and want true professionals. In short, why should the clients pay for second best. Continuing the issue raised in point 6, what level of assurance can the inadequately skilled, experienced and unqualified professional provide?

    Like

    • Always good to get a rise out of you, Audit Monkey.

      You are assuming IT auditors with an IT background are good IT auditors; while it is more likely, it is not always true.

      You and I have crossed swords a few times over inexperienced auditors and how they can contribute to the cause….

      First of all, that’s why the IIA requires audit supervision. For newbies and oldies who get lazy or miss a few things here and there. Now, before you strike back, I’ll admit that adequate supervision is not always present, due to laziness, or IT audit work supervised by a manager who only knows Operations and Finance. It happens, but it is not according to audit standards. So I lay that fault at the manager’s feet, not the newbie IT auditor’s.

      Second, did not the great Monkey himself once upon a time eat only green bananas? Or were you an audit expert from Genesis 1:1? Allow your fellow auditors to wear a fig leaf or two to cover their newbie-ness.

      Third, I’ve always said it is more important to know how to audit than it is to understand IT processes. Give me a good auditor who doesn’t know IT and she’ll do a better job than a good IT guy who doesn’t understand audit. Of course, to be good, you have to know both. IT auditors often have to learn both together, unfortunately, and struggle with both.

      Fourth, you don’t always know what you need to know to audit something. You have to learn it first, then audit it, then explain it to the experts. A good IT auditor doesn’t need to know everything or even close; she just needs to understand the basics, be able to learn new concepts fast, understand how to test it, be able to pull needed knowledge and impact from the auditee’s brain, and put it all together into a reasonable test that is well documented.

      Having said that, I agree that high prices are paid for poor work. Yes, IT auditors are not that great, and things are getting worse. Yes, the B4 is the worst, which is why I suggested trying them for a job. :)

      Like

  4. Michael

    Hi ITAuditSecurity,
    Thanks for posting this. Was really informative and helpful.
    Thus far, i have self studied, Joined ISACA, did a non-paying internship with no promise of retention.I am currently studying to take my CISA in May.

    In the past 2 mths, I’ve applied to several companies. Very few advertise Junior positions. Only senior. Those that do advertise Junior or internship positions, are looking for only currently enrolled college students.

    I’ve been fortunate enough to have 3 different interviews. One went as far as inviting me to their Corporate HQ where i interviewed for several hrs. All the interviews went well. However at the end, i get told that they wished i had more experience.

    I am yet to see a big 4 job posting for IT Auditors. Most only want internal auditors with an accounting background which i dont have.

    The only options i am currently considering are:
    1) Passing the CISA and hoping that somehow convinces them to take a chance on me.
    2) Going for a masters with a concentration in IT Audit or Info Sec and hoping to land an internship with a good firm. (Not my best option due to the cost and time)
    3) Try to land a volunteer/shadow an IT Auditor or another internship with a firm. However i’ve searched craigslist, angieslist and several job boards but cant find anything for IT Auditors. Probably you could advice on how i could go about this better.

    Look forward to your opinion on all this. Thanks in advance.

    Like

    • If I can chip-in here, well done Michael for all that you have done so far. Your CISA and internship demonstrate initiative and commitment, both valuable characteristics.

      You didn’t mention your background, though, so I wonder about your experience/expertise in the general area of IT audit – IT, information security, compliance, risk, control and related aspects (essentially the same scope as CISA). Personally, I learnt the ropes in IT and information security prior to even considering an IT audit role, and would have struggled as an auditor without that formative background. Have you considered starting in IT, for instance? IT jobs are probably easier to come by than IT audit jobs for newcomers to the field, although even there the entry point may involve IT degrees and similar qualifications.

      Another suggestion is to actively invest in building your professional social network, including trustworthy, competent recruiters in the field (quite rare in my experience, but tremendously valuable when you find good ones!). How about groups such as ISACA and ISSA that have local chapters, meetings and conferences? And what about all the online social forums these days? Aside from learning stuff from your peers, you can also pick up opportunities and tips about landing jobs, for example is your CV or resume in good shape? Does it properly express your strengths and interests, including your obvious initiative and drive?

      Good luck!
      Gary

      Like

      • Gary,
        Thank you for chipping in. I’m always for that. The door is always open, and it makes the community better.

        I agree with your suggestions.

        Michael,
        I agree with Gary in your efforts so far. You’re on the right track, don’t give up. Kudos for your hard work so far; don’t give up that it hasn’t landed you a job. I’m sure you’ve learned a few things so far, met new people, and are that much closer to realizing your goal.

        Also, like Gary said, it would help if we knew more about your background.

        I would definitely pursue the CISA. I would not go for a Masters unless you have the time and the money. And when you get a job doing IT audit, get your company to pay for your masters.

        I also like your option 3. Keep trying and keep studying.

        I did not hear you say you have talked to everyone you know. Dentist, doctor, grocery store checkout person, literally everyone. Craft an elevator speech (Google it if you’re not familar) and practice it; that’s what you talk to everyone about. Ask them if they know anyone in that field or SOMEONE that know someone in that field; also ask about internships or volunteer work.

        Since you’re an ISACA member, talk to your chapter leadership (prez, VP, treasurer, committee heads, everyone, and ask for help. Volunteer to help set up chapter meetings and join a committee if you can. That will help with your networking.

        Another networking idea. If you’re not on Linkedin, join it. And join IT, audit, and security groups at that site.

        Keep the conversation going….I’m sure Gary will chime in again too.
        Mack

        Like

        • Michael

          Hi Mack,
          Excellent Advice. I am yet to talk to any of the ISACA chapter leadership. Just joined 2 months ago and have only been to one of the monthly meetings thus far. I intend to attend the next one and i will definitely try meeting someone. I will also google the perfect elevator speech to start using.
          I have started focusing more the past week on utilizing my network and asking everyone and anyone i know for a referral.

          I am on linkedin, thus far it has helped some. Will look to join more IT Audit groups on there.

          Thanks guys for the advice thus far. Really encouraging.

          Like

      • Michael

        Hi Gary, Thanks for your suggestions. Plus i found your blog very informative.

        As far as my background, I have a degree in computer information systems. Know Java, C++, Proficient with Excel (V-lookups). Spent the last decade working in the telecoms field. Nothing particularly related to IT audit but have between my degree, the IT Audit coursework and internship i have done, I feel comfortable holding any junior level IT Audit position.

        The only reason why i haven’t considered getting another IT related job is because is because i felt it might derail my focus from getting into Audit. Plus i’m in my mid 30s and so dont feel i can start from the bottom of helpdesk and start working my way up.

        I am still on the hunt for a good recruiter. Most I have tried have expressed concern about recommending me for a contract job without years of experience under my belt.

        My resume and linkedin are good. I actually paid quite alot to get them professional done crafting my bullet points from IT Audit projects ive worked on.

        Like

        • Hello again Michael. If you mentioned ‘contract job’ before, I missed it, sorry. That does change things a bit: contractors and consultants are generally expected to hit the ground running. You might be better off searching for a permanent role with an organization that is prepared to train you (or at least give you the slack to learn the ropes), ideally one with a supportive audit function that is into mentoring and supporting staff development (most are). You clearly have a strong IT background, on top of the initiative and interest, so with your pro resume and positive attitude it’s just a matter of finding the right match.

          Good luck mate!

          PS Any chance of you posting an update here in a few months? What did/didn’t work best for you? What else did you learn about the IT audit recruitment market? Do you owe us a beer, or do we owe you one?!

          Like

  5. Pingback: Audit Management Sometimes Sucks | ITauditSecurity

  6. I am new to IT Audit. I had almost 20 years of experience in IT consulting, network and server administration and IT management. I applied for an IT audit position because I was burned out from the grind. I really enjoy the work and a move into audit can be difficult. To me it was frustrating when you realize you no longer have the rights to find information you need to do your job. Testing is not the hard part of auditing; I’ve done SOX and three audits of various systems at our bank. The hard part for me has been the writing. It takes a while to learn which words you can use and which words are too broad.

    Like

    • I think it was my time learning how to write, present, negotiate and convince people in audit that led to me becoming a tech author writing awareness materials. I’m still learning how to write! In audit, I learnt a lot from my peers and seniors – the audit review and QA processes are both tedious and valuable. We were strong on word-craft and proud of the end products, formal reports that usually managed to find the perfect turn-of-phrase to express our concerns and ultimately achieve changes that improved the organization. Stick at it, Tom, it’s worth persisting and practicing. You might even enjoy it in the end, once it starts to work for you. Conquer the mountain! Own the peak!

      Liked by 1 person

    • Tom,
      I agree with Gary. It’s like any other job; it takes some time to learn the lingo and phrasing (and the reason behind it; hopefully in your case, it is not your manager’s personal preferences; been there, too).

      Many auditors are terrible writers, especially the big 4 auditors If you know the IT and can do the testing, you’ll do fine. If your mgr is smart, they will encourage your strong points while helping you in your weaker areas.

      I’d rather have a auditor who needs help with the writing than help with knowing how to test appropriately.

      With your background, you’ll be a great auditor.

      Thanks for posting.

      Like

      • Michael,
        I found your linkedin profile :)

        My suggestions, in order of criticality:
        1) Change your current profile title from “x” to “x/IT Auditor”. Then add a bullet under your current job saying something like: “Building IT Auditor skills”. Then under that put sub-bullets like:
        -“Studying for CISA. Expect to pass exam by .” That does 2 things: makes sure your profile pops up for people looking to hire IT auditors. Gives you a public deadline to aim for. Make it at least 6 months out unless you are highly motivated.
        -Passed certs 1, 2, 3. etc.
        -Studying AT 101, SSAE 16, ISO 27001)

        Of course, this depends on whether you can advertise that you’re looking to move to another position/company without endangering your current position. If you can ask your manager for help in finding something, that’s a big plus.

        It is critical to get IT Auditor in your title and get CISA on your profile! Just make sure it’s clear you are working toward these items…

        2) Fix typos. I found at least 1.

        3) Explain your abbreviations. There’s a few I wasn’t familiar with.

        4) Work in how you used your cert knowledge in your job. How did you use Lean Six Sigma? What were the results? “Reduced errors by 30%”, etc. PCI is hot. Expand on this.

        5) Get other IT Audit buzzwords in your profile by giving examples of things you did. If you ever reviewed who had access to a system or folder, list that. If you developed a policy, name a couple of them. What standards and best practices? What exceptions? How did you ensure compliance?
        You get my drift? Get those buzzwords in your profile by answering those kind of questions, but keep it short and sweet as possible. Sometimes you can’t do that, but that’s ok here and there.

        6) Get more recommendations. The easiest way is to ask someone for a recommendation, and tell them you will draft something for them that they can use as they see fit. This sounds unethical, but if you are brutally honest in your draft, all you have done is lead the horse to water. (By the way, I also do this for people that I have as my references when I go for a new job. Then they don’t have to think, and you know what they will tell interviewers. No one has ever complained when I’ve done either. In fact, they love it as you have done their work for them).

        Shoot for 1 recommendation per job listed. That tells others you excel everywhere you work.

        7) Start talking to others in the linkedin groups you belong to by posting comments on articles and questions posted by the group. Try contacting a few key people from the group. They are more likely to respond if they have seen your name in comments.

        :)

        Like

  7. Michael E.

    ITauditSecurity,

    I love your blog, so glad I found it. I am new to IT Audit. My background is primarily Healthcare. I’ve worked 9 years in a clinical lab setting. I was fortunate to take an internship last summer in the Information Security & Technology department. There I researched and drafted policies. I love reading the frameworks. I’ve always enjoyed reading and writing, the job felt natural to me. From there I learned about IT Auditing and have been pursuing it ever since. I had a job offer from a major insurance company however the merger was blocked. I’ve been on a few interviews for internships also.

    My education:
    A.S. in Health Administration
    Yellow Belt Lean Six Sigma
    Health IT Cert
    ISACA Cybersecurity CSX Cert

    I am currently preparing for the CISA and familiarizing myself with AT 101, SSAE 16 and re-reading ISO 27001.

    I took your advice and applied to major firms. My next step is to join ISACA. I’m on LinkedIn and apart of a few ITaudit groups.

    I’d like your perspective on what I can do to break into the field. Do I need my B.S.?

    Thanks

    Michael

    Like

    • Michael,
      Thanks for making my day. Always good to hear I’m helping and encouraging others. I too stand on the backs of many others who took the time to help me (and slap me once in a while :) ).

      Unfortunately, yes, you will probably need your BS. Hopefully you will find a company that will take you in and pay for your degree. There is such a shortage of IT auditors that you might be able to find one. Make sure you tell employers you intend to work on your degree right away once hired.

      It will definitely help if you get your CISA ASAP. That will help employers see you are serious and a go-getter.

      Unfortunately, the larger the firm, the more they depend on a degree to weed out undesirables. As a result, they miss a lot of good folks like yourself. Focus on selling your strengths to employers and you’ll eventually find one that will take you in. Don’t get discouraged. In the meantime, keep working on educating yourself and getting the CISA.

      Make sure you do research on the company and can explain how your experience, passions, and drive will help that company. So few people do this and interview well (see my series on hiring IT auditors).

      Always be prepared for “Why I should hire you?”. If they don’t make sure you work into your cover letter/interview. If you can’t answer that question, they you don’t deserve to be hired. I am always shocked when I interview people who can’t answer that question.

      I assume you are first focusing on healthcare companies, hospitals, and billing companies related to healthcare. Your background is coveted in internal audit, and if you have IT knowledge also, WOW!

      Go to the library and ask the librarian for how to identify all healthcare/insurance-related companies in your target area. There’s a publication for that, but I don’t recall what it is. Then start researching and calling/applying at those companies.

      As for linkedin, make sure your profile describes your skills and what you’re working on, like CISA. Search for people in internal audit and risk management in your target companies to see what skill they are looking for; notice what common skills in each person in that company in those positions, and that’s what the company values. Focus on those.

      Also notice what linkedin groups those people are in an join them. You might be able to contact them thru a group easier, and they will be more receptive. Ask them about opportunities in their companies and elsewhere; ask for advice.

      Most people LOVE to give advice (ahem). It flatters them that you ask.

      Have you done items 1-3 in my post above? Do you talk to everyone you meet about your goals and whether they know someone who can help?

      You seem to be on the right track. Let’s keep the conversation going….Wish you the best. Mack

      Like

  8. Michael E

    Mack,

    Awesome! Thanks so much for the advice. I really appreciate it, my thought process is different now due to your enlightenment.

    Since I wrote this a few days ago, a recruiter from the major insurance company called me. The position I interviewed for is open again and they wanted to know if I am still interested, in which I responded yes.

    We will see what happens. Either way I am still going to follow the steps outlined in your responses.

    I’ll post an update as they occur.

    Thanks again,

    Michael

    Like

  9. Pingback: Use LinkedIn to get an IT Audit job | ITauditSecurity

  10. Pingback: New IT Auditor (and WannaBEs) Master List | ITauditSecurity

  11. knowledgefreaks

    Well written. I just want to raise a point. Many auditors think of cisa as a destination. To me, it is a journey which never ends. Once you pass it, it is only the beginning of continuous learning and development given the nature of new normal.

    Like

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s