IT auditing is not the same as IT

A couple of years ago I was managing the IT audit function at a fairly large business. Auditing can be somewhat of a transient profession and so the department usually had an open position every 6 months –  including those for IT auditors.  It never failed that once the posting hit our internal job listing, I would get a call from staff (and management) in IT inquiring about the position.  To some degree, I was surprised at the interest because IT folks used to play up their disdain for the auditors.  We actually had a great working relationship with IT, but I assume they would have been shunned by their fellow IT brethren if they had turned to the “dark side”. Of course you would get the occasional employee looking to escape from a dead end position, bad management, etc.  But most of them were keenly interest in the notion of becoming an auditor. But once I started talking about the day to day activities of auditing and they key skills necessary to be successful, I had burst their bubble.  The notion of holding meetings, planning a project, documenting workpapers, writing reports and meeting with company management were extremely distasteful to many IT folks.  Somehow they had a romanticized view of what auditing was like.  I liken it to the phenomenon in the criminal justice system where the general public has warped perspective on what criminal investigations and forensics is like.  The unknowing public assumes it is all glitz and glam with inordinately attractive co-workers, and you get to carry a badge and gun. Sadly I know several folks in law enforcement who say it couldn’t be any further from the truth.  Most investigations are tedious boring activities that involve sifting through mounds of information that most of it turns out to be useless.


IT auditing can be similar. For those of us in the profession, it can be enjoyable and rewarding.  You do have those occasional sensational projects where you uncover fraud or a technical glitch that will save the company buckets of money or extreme embarrassment.  But the majority of the work is fairly standard.  Planning projects, meeting with people, testing, negotiation, and LOTS of writing.  And those are activities many in the IT profession loathe.  I enjoy the fact that my work is constantly changing.  I’m always moving on to a new project that exposes me to a new area of the company.  We tend to be “in the know” about what is going on at the company before most employees.  And we get access to a lot of information, data, and people.  The downside is it can be difficult to build a dedicated expertise like you would in IT.  I can hang with most DBAs, server admins, programmers, etc., following their processes and even track with their line of thinking.  But I won’t ever have their level expertise.  And that can also be frustrating for an IT professional.


IT Auditor’s dark secret

IT Audit isn’t really that difficult…really (in relation to the overall audit profession).

Before I get anyone worked up (anyone randomly reading this blog), let me clarify by saying that IT auditing isn’t easy – just not as difficult as our non-IT audit brethren may think it is.  In this day and age where virtually every business process is integrated with technology, there still tends to be a pervasive belief that IT is some form of black box magic that can only be understood by a select few.  I think they refer to us as geeks behind closed doors (which is better than nerds, but I will save that for another post).  Unfortunately it is the ‘Audit’ piece of IT Auditing that tends to get overlooked or underplayed – by both us geeks and the financial savvy non-geeks.

I don’t think anyone can deny that understanding technology is becoming increasingly important.  Far too often, however, I see the focus being placed on those skills rather than the core ability to audit.  I have had the pleasure of working in the profession for 15 years with some very solid IT auditors.  And in my experience, the best IT auditors I have come across were great auditors to begin with.  We all gravitated to IT because we had an interest and aptitude in technology.  Many of us didn’t even come from a traditional IT field or have an IT education.  But we have a keen interest in technology that often goes beyond the workplace.  Unlike financial or operational auditing, where business or financial processes tend to evolve slowly over time, IT is dynamic and requires constant learning.  And the most successful IT auditors are those who  enjoy learning about that technology.  So much so, we often tend to do it on our own time.

That said, IT auditors can have a tendency to go overboard and put all of their focus and energy on technology.  It is the shiny, exciting, dare I say sexy side of the profession.  While those aspects of auditing can be useful, it all comes back to the core tenets of auditing and helping clients manage risk and improve operations. That still requires solid planning, investigation, documentation, and most importantly, talking to clients.  Skills we far too often see lacking in many IT organizations.