The term "audit" means to examine and verify accounts and records.
Information technology (IT) auditors make sure companies are keeping data
and records secure. They audit IT security systems to make sure those systems
are doing their job.
The law says businesses of all types must hang on to an enormous volume
of records to prevent things like fraud and accounting errors. It's up to
IT auditors to keep all those records secure. Their work helps companies comply
with the many regulations governing IT security.
"The systematic approach that internal auditors use to ensure that internal
controls are in place to mitigate all risks helps companies meet goals and
objectives," says Scott McCallum of the Institute of Internal Auditors (IIA).
"IT auditors review IT controls within companies and organizations," says
Fred Roth. He is a senior consultant at a training institute. "They confirm
that the business application systems and supporting IT infrastructure have
appropriate levels of security and controls to protect the organization's
IT auditors have been around since the 1960s, but the demand for them has
"I talk to a lot of management from companies in the U.S., Canada and Europe,"
says Roth. "The answers are always the same -- they cannot find enough good
IT auditors to fill positions. It seems like everyone is looking for IT auditors
but they are difficult to find."
To get those jobs, IT auditors must have extensive knowledge about the
field. While they share some skills with IT security experts, auditing requires
"Security experts tend to deal more with physical controls, such as physical
access," says Igor Abramovitch. He is the division director for an IT staffing
"IT auditors deal with not only physical controls, but also business and
financial controls within an organization --for example, how information travels
through the systems and where it can be purposely or inadvertently altered
along the way."
"IT auditors audit the security experts!" says Roth. "The security professionals
implement security. Then IT auditors provide an independent review of security
features to ensure that the resulting security implementation has appropriate
levels of security and controls."
It's important to distinguish the work of IT auditors from computer security
"IT auditors are different from the IT security experts, in the sense that
they come in and pull apart the system's security to understand where the
weaknesses lie," says Mitu K. Mann. He works for a professional services firm.
"They are not responsible for fixing the problem. They confirm that there
is a definite problem that may impact the financial statements."
In general, IT auditors may be responsible for safeguarding a company's
information and data. They may also ensure that the company follows all government
regulations. And then they must communicate with other company employees and
management to ensure that the proper procedures are adapted in an efficient
and cost-effective manner.
Consider training incomputer science, management information systems or
engineering. You may also need additional certifications to compete for an
IT auditor job.
CIA (certified internal auditor), CISA (certified information systems auditor)
and CISSP (certified information systems security professional) certifications
are becoming common requirements for IT auditors. And don't think that the
learning ends there.
"IT auditors need to be qualified to audit the many different aspects of
IT: systems, networks, databases, encryption, etc.," explains Roth. "They
need to be proficient and stay current as the technology changes. This requires
"Co-op is always a good place to start to get your hands-on experience,"
says Mann. "A co-op assignment within a larger accounting/consulting firm
will allow for a greater understanding of the field."
Some companies may offer these learning experiences to students so that
they may acquire "real" skills while making contributions to the business.
With all of the training and experience in place, IT auditors may be hired
to work within a particular company. Or they may be employed by a firm that
hires out auditors to a variety of clients on an as-needed basis. With the
right credentials, it may even be possible to act as an independent auditor.
The Institute of Internal Auditors
An international professional association.
Information Technology Audit
A basic description