New Laws Spur Need for Information Technology Auditors The Buzz


The term "audit" means to examine and verify accounts and records. Information technology (IT) auditors make sure companies are keeping data and records secure. They audit IT security systems to make sure those systems are doing their job.

The law says businesses of all types must hang on to an enormous volume of records to prevent things like fraud and accounting errors. It's up to IT auditors to keep all those records secure. Their work helps companies comply with the many regulations governing IT security.

"The systematic approach that internal auditors use to ensure that internal controls are in place to mitigate all risks helps companies meet goals and objectives," says Scott McCallum of the Institute of Internal Auditors (IIA).

"IT auditors review IT controls within companies and organizations," says Fred Roth. He is a senior consultant at a training institute. "They confirm that the business application systems and supporting IT infrastructure have appropriate levels of security and controls to protect the organization's information assets."

IT auditors have been around since the 1960s, but the demand for them has grown significantly.

"I talk to a lot of management from companies in the U.S., Canada and Europe," says Roth. "The answers are always the same -- they cannot find enough good IT auditors to fill positions. It seems like everyone is looking for IT auditors but they are difficult to find."

To get those jobs, IT auditors must have extensive knowledge about the field. While they share some skills with IT security experts, auditing requires additional training.

"Security experts tend to deal more with physical controls, such as physical access," says Igor Abramovitch. He is the division director for an IT staffing agency.

"IT auditors deal with not only physical controls, but also business and financial controls within an organization --for example, how information travels through the systems and where it can be purposely or inadvertently altered along the way."

"IT auditors audit the security experts!" says Roth. "The security professionals implement security. Then IT auditors provide an independent review of security features to ensure that the resulting security implementation has appropriate levels of security and controls."

It's important to distinguish the work of IT auditors from computer security experts.

"IT auditors are different from the IT security experts, in the sense that they come in and pull apart the system's security to understand where the weaknesses lie," says Mitu K. Mann. He works for a professional services firm.

"They are not responsible for fixing the problem. They confirm that there is a definite problem that may impact the financial statements."

In general, IT auditors may be responsible for safeguarding a company's information and data. They may also ensure that the company follows all government regulations. And then they must communicate with other company employees and management to ensure that the proper procedures are adapted in an efficient and cost-effective manner.

Consider training incomputer science, management information systems or engineering. You may also need additional certifications to compete for an IT auditor job.

CIA (certified internal auditor), CISA (certified information systems auditor) and CISSP (certified information systems security professional) certifications are becoming common requirements for IT auditors. And don't think that the learning ends there.

"IT auditors need to be qualified to audit the many different aspects of IT: systems, networks, databases, encryption, etc.," explains Roth. "They need to be proficient and stay current as the technology changes. This requires ongoing training."

"Co-op is always a good place to start to get your hands-on experience," says Mann. "A co-op assignment within a larger accounting/consulting firm will allow for a greater understanding of the field."

Some companies may offer these learning experiences to students so that they may acquire "real" skills while making contributions to the business. With all of the training and experience in place, IT auditors may be hired to work within a particular company. Or they may be employed by a firm that hires out auditors to a variety of clients on an as-needed basis. With the right credentials, it may even be possible to act as an independent auditor.

Links

The Institute of Internal Auditors
An international professional association.

Information Technology Audit
A basic description