I get asked all the time, “How do I get a job in IT audit with little or no experience?”
When Michael Onuoha asked me this question (see here), I thought I’d share my response with my readers.
You’ll find these same answers scattered around the blog as I answered people in the past, but I thought I’d pull it all together into one place.
Breaking into any field can be difficult, but it can be done. Especially when the demand for IT auditors is so high.
Here’s my suggestions:
First, if you don’t have a current job, skip to #3. Otherwise, start with #1.
1 – Talk to the auditors in your current company
If you are currently working at a company that has IT auditors, ask the people you know and interact with on a daily basis who can introduce you to the IT auditors.
A little known secret is that most people love to be asked their opinion (ahem) and help others. Tell those auditors about your aspirations, and ask them whether they see any opportunities for you in the near future.
Either way, ask them what you can do to increase your chances of becoming an IT auditor at your company, or another company.
Companies often hire internal people rather than external people; they are less risky. And when companies hire inexperienced people, they are even MORE likely to hire internal.
BONUS: If possible, see if one of the IT auditors is willing to meet for lunch once a month and share his/her audit experiences.
2 – Ask for related opportunities
Again, where you work now, look for projects that give you the experience you need. Talk to your manager and director, and ask whether any upcoming projects have IT, audit, security, or compliance components. Make it known you’d like to work on those kinds of projects.
BONUS: Don’t overlook opportunities in employee resource groups, company events, and the like to gain experience and/or meet key people.
3 – Look for volunteer work
If you don’t have a job or your current job doesn’t offer any or enough opportunities, look for non-profits, churches, colleges, universities, or small businesses that might need IT, audit, security, or compliance help.*
Talk to everyone you know, including people at the grocery store and dentist. Also contact your local colleges and universities for leads.
You are not looking for the perfect experience that will land you your dream IT audit job; you are looking for any experience that will move you forward.
This will allow you, in the future, to explain to a prospective IT audit manager how eager you are to learn, serve others, and work toward your goals. You don’t just sit around and wait for luck to strike.
*I’ve helped support the network and do computer troubleshooting at 2 former churches, and at one church, I was also in charge of maintenance. I learned about building codes, fire codes, city regulations, and had to meet with city personnel and vendors to bring things into compliance. You think that was helpful in my career?
4 – Pass the CISA exam
As soon as you are sure that you want to pursue IT auditing, study for and pass for the CISA.
If you are really serious about an IT audit career, I’d tackle the CISA first, as it will take a few months at least. And while you study, you can look for opportunities and gain whatever experience you can find.
You won’t be able to get the certification itself until you have all the experience, but again, passing the exam tells hiring managers that you are serious and ambitious.
The reason I don’t list this step first is because it is a bigger investment than the previous steps.
As you study for this exam, it will help you understand where your knowledge is the weakest, and where you need to spend the most time learning.
5 – Take advantage of free classes and learning on the ‘Net
The Internet is full of free resources, like this blog. Especially review the websites at ISACA and IIA , as both have some free information about IT auditing and auditing in general. For example, I highlight some free resources for security and CISSP training in Teach Yourself Security.
I am NOT saying you have to get the CISSP certification–you don’t–I am just showing you an example of the type of free info that’s out there. You just need to go get it.
BONUS: Don’t forget to ask the audit, security, and compliance professionals in your company what free resources THEY rely on.
6 – Apply for an IT Audit position at a large company
Because a shortage of GOOD IT Auditors seems to be the new normal, if you have any experience in IT, audit, compliance, privacy, security, technical writing, or project management, apply anyway.
Stress how the experience you DO HAVE will help you learn IT audit quickly. Even if you don’t meet most of the qualification, apply anyway, as you might just be the most qualified person that applied.
Why do I suggest this?
In one large company I recently contracted at for over 4 years, I watched them hire 5 IT auditors. Not one of them was qualified as an IT auditor!
Two of them had IT experience (help desk, IT project management, IT operations management), one was a financial analyst, one was a privacy compliance person, and one was fresh out of college with absolutely NO experience of any kind that even leaned toward IT auditing.
And not one of them had any audit experience! But all of them but the college grad had worked successfully in other areas of the company (see #1 above).
So why do companies hire these kinds of people? For 2 main reasons: all the experienced IT auditors are already working, and the companies are NOT willing to pay high enough salaries.
So emphasize the skills you have, apply for the positions, and don’t expect great pay, at least to start.
But remember that this works best at larger companies with at least 10 auditors, because they have the resources to train a new IT auditor.
On the other hand, small companies that need only 1 or 2 IT auditors can’t afford to hire inexperienced people.
BONUS: To determine how many auditors a company has, search LinkedIn or call the company and ask.
7 -Take any job at your target company
Sometimes it helps to get a foot in the door at a company where you want to work, and then move into IT audit (see #1).
Get hired at your target company doing whatever you already know how to do, and do a great job at it. While you’re waiting for your opportunity to move into IT audit, learn the business, the people, and the culture.
8 – Apply for a job at the Big 4.
For those who don’t know what the Big 4 is, it’s the 4 largest accounting and auditing firms: Deloitte Touche Tohmatsu, Ernst & Young, KPMG, and PricewaterhouseCoopers.
I have never worked for the Big 4, but they sometimes take on inexperienced people or college grads and turn them into auditors.
From what I’ve been told personally (and you read it all over the ‘net), it’s a hard grind, you work a ton of hours, and you travel a lot, and the pay isn’t great. But if you can last 2 years there, you will have learned enough about IT audit to get a better job. Having the Big 4 on your resume is a bonus to employers.
I don’t recommend it unless you have exhausted all other options AND you still want to work as an IT auditor.
The Bottom Line
If you like technology and at least have a strong interest in computers and computer systems, you CAN do this if you’re willing to put in the effort. Ask people to help you, search and read the net, read certification books, and most of all, believe in yourself and keep pushing forward!
Let me know what ideas you have, what you think of these suggestions, and whether you have any questions.
Here’s a couple links that you might find helpful.
Become a Info Systems Auditor (video) – a bit on the humorous side
New IT Auditors Should Start Here (list of good IT audit posts on this blog)