Niching up: how to become a specialist IT Auditor
27 Apr, 20235 minsSo, you’re an IT Auditor, but do you have a specialism? With so many types of audit in deman...
So, you’re an IT Auditor, but do you have a specialism? With so many types of audit in demand right now, it’s important to know the differences and how to stand out in your field. You'll know a degree in Computer Science or Information Systems is beneficial when working in any area of IT Auditing, as well as certifications like the Certified Information Systems Auditor (CISA). But what else will help you to become an expert IT auditor? Whether you’re an experienced IT professional looking to move into auditing, a generalist auditor looking to niche up, or a seasoned auditor wanting to expand into other auditing areas, our breakdown of the most common types and the skill sets you’ll need will help.
(1) IT General Controls Audit
Information Technology General Controls (ITGC) are made up of general controls that protect information from cyber threats. They also help companies to maintain compliance with industry regulations surrounding data privacy, and they’re generally the foundation for auditors just starting out. Another name used for this type of audit might be “application environment controls". For this type of control mechanism, it helps if you have a combination of project management experience and certifications specifically created by organisations like ISACA which offers several courses related to technical control mechanisms within enterprise environments.
(2) Applications Audits
IT Applications audits are used to evaluate software programs, applications, and related hardware configurations. These audits assess application controls and security measures, such as testing user access and authentication. As an applications auditor, you’ll be exposed to a wide variety of applications and depending on the industry you work in, you could find yourself auditing niche applications. Think about the Financial Services industry, for example, where you’ll be auditing a range of (bespoke) banking, payments and finance applications.
(3) Cloud Audits
Cloud audits are used to ensure that internal process aligns with organisation policies for cloud computing technology. A good understanding of cloud infrastructure is needed for these types of audits, such as knowledge about Software-as-a-Service (SaaS) offerings from providers like Microsoft Azure, Google Cloud Platform (GCP), or Amazon Web Services (AWS). Certifications like the Cisco Certified Network Professional (CCNP) or a cloud certification can also be helpful.
(4) Cybersecurity Audits
Cybersecurity audits check the security protocols in place to protect networks from cyberattacks. This type of audit requires a firm knowledge of anti-malware solutions like networks, firewalls, and endpoint protection tools, as well as sometimes penetration testing skills, and certifications such as Certified Information Security Manager (CISM) and Certified Ethical Hacker (CEH).
(5) Infrastructure Audits
Infrastructure auditing examines physical components within an organisation’s network environment, such as routers, switches, public facing/internal servers, etc., for vulnerabilities that may affect availability or performance.
Infrastructure audits are probably the most technical area to become proficient in, so you’ll need a strong technical background plus a genuine passion for it. Those who work on these kinds of audits typically have experience in network administration or security roles, coupled with certifications like CompTIA’s Security+ or ISACA’s CISA certification.
(6) Data Analytics Audit
A data analytics audit evaluates an organisation’s data to help them boost efficiency and remain compliant with industry regulations. Data analytics is key not only in making business processes more efficient, but in making auditing processes (particularly in large organisations) much more streamlined too. Data insights enable companies to set up Robotic Processing Automation (RPA) that carries out auditing in the background reducing a lot of menial manual work. Automation is becoming popular for businesses wanting to get ahead.
Understanding data analysis techniques and business intelligence software is required for these kinds of audits, such as mastery of Excel pivot tables or certification in Tableau Desktop Qualified Associate Exam, SAS, SolveXia, Google Data Studio, and Microsoft Power BI.
And don’t forget to polish up on coding/scripting skills like SQL, R, Python as well.
(7) ERP Audits
An Enterprise Resource Planning (ERP) system audit assesses how well a company is using its ERP system. Mostly used for supply chain companies, an auditor will check out whether data is being collected properly across departments, that operations are being managed appropriately and that compliance regulations are being adhered to as well. Knowledgeable IT Audit professionals need to have strong organisational skills and technical experience evaluating Enterprise Resource Planning systems such as Oracle eBusiness Suite or SAP HANA Platform Solutions.
(8) Digital Audit
In digital auditing, you’re analysing and evaluating an organisation’s digital footprint to check performance and effectiveness. It can involve looking through a range of metrics such as website traffic, search engine visibility/ranking, social media engagement, and conversion rates. As well as good IT/digital knowledge, you’ll need strong know-how of digital marketing principles, and preferably some hands-on experience in marketing too. Great analytical skills are a must. And the ability to understand that different clients will have different needs and strategies is important, so you can tailor your auditing tasks and make appropriate recommendations.
(9) Technology Change
Technology change auditing is the process of evaluating an organisation's systems, procedures, and controls during technology changes/transformation. It involves assessing risks and evaluating the effectiveness of internal controls when implementing changes such as organisational structures, data governance, cybersecurity, and project management.
Want to get into technology change auditing? You’ll need a deep knowledge of various tech systems, as well as experience with enterprise architecture and IT governance. An IT degree is an important first step, and analytical and communication skills are essential. You’ll also benefit from a continuous development mindset. The world of tech is constantly changing, so keeping up with new trends in essential for any successful technology change auditor.
The IT audit market is booming right now! We’re seeing a particularly high demand for audit specialists with Cybersecurity, Data Analytics, Infrastructure and Data Risk experience. But there’s also a surge in demand for experience with emerging technologies like Cloud, AI and Blockchain.
We’re in touch with lots of companies looking for this kind of expertise, as well as audit professionals that can work in these in-demand specialisms. Why not drop us a line to chat about how we could help you?