I’m probably going to relocate soon and even if I don’t, I am actively looking for a better job.
I have been called by several recruiters and so far, two of them have told me I would be very well suited to be an IT auditor (I have degrees in CIS & Finance).
I have been reading about audit methods, decisions, IT controls etc. but I have yet to truly understand what IT auditors do every day.
Using the six degrees of separation principle, can anyone, or anyone you know, tell me what the day-to-day duties are for an IT auditor? Is it mostly writing? Mostly testing? Mostly meetings?
I work in IT but I only know a little bit about auditors. I have never seen one but I am told they look at my work, the procedures I followed, or the output of my work.
The ones where I work enforce a lot of procedures. They put in systems like peer reviews of code and data validation by different business units. They track those procedures to make sure they are followed. We have to fill out a lot of Excel spreadsheets and checklists to meet their requirements.
They validate data by going as close to the source as possible and try to replicate numbers on reports or even end-user screens. It is very important that management numbers are correct especially if they get reported externally.
There are security audits that I only know a little bit about but you can probably guess what they do.
I believe this is a hot field now because the Sarbanes-Oxley Act imposes so much auditing for publicly traded companies. It is basically looking over everyone’s shoulder to make sure data is secure, the right data is fed to the business and external parties, and regulations are complied with.
I would say its about 25% meetings and observing. 25% on mapping systems and processes. About 25% testing. 15% writing. 10% at the bar at lunchtime to forget about the meetings.
Its difficult to give you a hard idea since every audit shop and company is different. I didn’t do the IT work but my best friend in the group did. You will have a lot of meetings to discuss the environment and observe procedure. The majority of time is spent on mapping the control environment and testing. Our IT guy spent a lot of time writing up Visio flowcharts to map all the processes and trying to determine areas where to concentrate testing. He would then go into testing anything from penetration testing, reviewing access control lists, disaster recovery types of things.
You then spend a ton of time writing up all the test work you did if the shop doesn’t have canned programs. We were unfortunate enough to work for a very acquisitive firm so many of the groups we audited were new, requiring do novo writeups on the groups and their operations.
Once you test and write up findings then the hard part begins. If you work for an organization with low levels of integrity, no one wants to own up to their faults. So you spend a boatload of time arguing over semantics in the findings and the actual level of risk involved. Many meetings, many rewrites. Its very frustrating to watch your IT manager sell you out on half of your findings because he doesn’t have the stones to take on certain managers.
When there is some downtime, you need to work on cultivating confidential informants. Believe me, it helps. Everyone at VP level or above will lie to you, so you need rank and file folks to give you the truth. Things got so bad at IT that they SVP had a meeting to tell his staff that the next person who opened up to IA was getting sacked.
Eventually they’ll make you take the CIA and/or CISA exams. They aren’t hard but you still need to take some time to study for them.
That’s my experience at least. An audit true-believer will probably give you a different one.
Basically, it seems to me that their job is basically to insure that the IT folks are following the rules. This makes sense when there are rules to be followed.
I had a job like this once (10 years ago, predating Sarbanes Oxley). I ran screaming from it because virtually everyone approached you with an adversarial attitude. There was no support. Things have changed lately, largely due to SOX, but I do not know that they have changed for the better (I’m not saying they haven’t, I just don’t know).
To the average business user IT systems are a black box. They feed data in, it gives results back out. They have no way of knowing for sure if what happens in between is correct, secure or trustworthy. They simply don’t have the required knowledge.
IT Auditers go in and take the black box apart, make sure its working correctly, proper business rules are being followed, no-ones cheating (either the business or the law) and it’s not likely to fall apart within the month and take the business with it.
So not a whole lot different from Financial Auditors.
So the IT auditors are basically technical ‘checkers’. I am drawn to the testing part of it but I do not want to be part of the ‘ohh no, here they come group’.
Sounds like the political aspects of the job (i.e. no one ever wants to be blamed for not following the rules) make it very unpleseant. Like ethelbert stated, everyone approaches the IT auditors with an adversarial attitude.
Maybe I’ll just finish up my MCT. Any wisdom on the MCT route?