A couple of years ago I was managing the IT audit function at a fairly large business. Auditing can be somewhat of a transient profession and so the department usually had an open position every 6 months – including those for IT auditors. It never failed that once the posting hit our internal job listing, I would get a call from staff (and management) in IT inquiring about the position. To some degree, I was surprised at the interest because IT folks used to play up their disdain for the auditors. We actually had a great working relationship with IT, but I assume they would have been shunned by their fellow IT brethren if they had turned to the “dark side”. Of course you would get the occasional employee looking to escape from a dead end position, bad management, etc. But most of them were keenly interest in the notion of becoming an auditor. But once I started talking about the day to day activities of auditing and they key skills necessary to be successful, I had burst their bubble. The notion of holding meetings, planning a project, documenting workpapers, writing reports and meeting with company management were extremely distasteful to many IT folks. Somehow they had a romanticized view of what auditing was like. I liken it to the phenomenon in the criminal justice system where the general public has warped perspective on what criminal investigations and forensics is like. The unknowing public assumes it is all glitz and glam with inordinately attractive co-workers, and you get to carry a badge and gun. Sadly I know several folks in law enforcement who say it couldn’t be any further from the truth. Most investigations are tedious boring activities that involve sifting through mounds of information that most of it turns out to be useless.
IT auditing can be similar. For those of us in the profession, it can be enjoyable and rewarding. You do have those occasional sensational projects where you uncover fraud or a technical glitch that will save the company buckets of money or extreme embarrassment. But the majority of the work is fairly standard. Planning projects, meeting with people, testing, negotiation, and LOTS of writing. And those are activities many in the IT profession loathe. I enjoy the fact that my work is constantly changing. I’m always moving on to a new project that exposes me to a new area of the company. We tend to be “in the know” about what is going on at the company before most employees. And we get access to a lot of information, data, and people. The downside is it can be difficult to build a dedicated expertise like you would in IT. I can hang with most DBAs, server admins, programmers, etc., following their processes and even track with their line of thinking. But I won’t ever have their level expertise. And that can also be frustrating for an IT professional.