The Role of IT Auditor and The Best Certification for The Job

Auditor using tools

It's fairly easy for a small company with a single office and under a dozen employees to keep track of its technology and information systems. A few workstations, a small business server, a couple of printers, maybe a high-speed cable Internet connection. This same company may have a handful of databases on a pair of mirrored disk drives, or a subscription to an industry-related information service. An IT professional could easily track this company's IT/IS assets and procedures in an Excel spreadsheet.


But what about a company with two dozen offices and thousands of employees, conducting business transactions in multiple countries? This company would have a large and complex network infrastructure. It could be hosting its own Big Data solution, using its own analytics to help shape business strategies. And it is likely dealing with different laws and regulations in every country it does business in.


How can this company keep track of its entire IT/IS infrastructure, to ensure that it is getting the maximum business value from its systems?


Enter the IT auditor.


IT auditors perform rigorous audits on an organization's information technology, including all applicable systems and processes. IT auditors are responsible for discovering security risks and identifying inefficiencies in existing information systems. They determine whether an organization's IT procedures and controls meet regulatory standards and maintain regional legal compliance. IT auditors also report on IT governance, the ongoing process of aligning information technology goals with strategic business objectives.


Auditing isn't new — it's an investigative framework of tools and processes which have been used in the financial sector for ages. IT auditing includes many aspects of traditional auditing, with a few tweaks.


Like their financial brethren, IT auditors must have excellent communications skills, and be able to consult with people across the entire org chart. They must be excellent investigators, able to focus their attention on large collections of information for long periods of time.


Obviously, the key difference for IT auditors is that they must also be fully knowledgeable in multiple technology disciplines, and need to stay current on new tech developments and their related impacts and risks.


IT auditors must also have a strong understanding of the fundamentals of business. They are expected to advise senior business leaders on how to bring a company's IT strategies into alignment with its business goals. To do this, IT auditors must be both tech savvy and business savvy.


Auditing team going over report

The role of IT auditor has evolved over time, becoming more complex, and requiring greater amounts of training and education. Of the various professional certifications associated with IT auditing, the Certified Information Systems Auditor (CISA) credential from industry group ISACA has become a respected and well-recognized standard.


(It's also well compensated: In the most recent Certification Magazine salary survey, people holding a CISA certification reported an average annual income of $110,190.)


Part of the CISA's value comes from its relative scarcity — the CISA certification exam is only offered three times a year, currently in June, September and December. As of this writing, registrations are currently being accepted for the December 2015 exam.


The CISA certification exam is by all accounts a difficult challenge for candidates. The exam consists of 200 multiple-choice questions, for which candidates are given four hours to complete. The exam content is made up of five knowledge domains:


? The Process of Auditing Information Systems

? Governance and Management of IT

? Information Systems Acquisition, Development, and Implementation

? Information Systems Operations, Maintenance, and Support

? Protection of Information Assets


Once a candidate has passed the CISA exam, they must meet the work experience requirements. For CISA certification, candidates must have five years of professional IT auditing, control, or security experience. A portion of the work experience component can be waived based on certain alternate work experience and/or specific post-secondary education. Up to three years of the five-year requirement can be waived in this manner.


Candidates can earn the required work experience (or waivers) after passing the CISA exam, but there is a time limit of five years from the date of passing the exam for completion of the work experience component.


If you would like to learn more about the CISA certification, a good starting point is the How to Become CISA Certified home page on the ISACA web site. The ISACA site also contains a wealth of information about IT auditing, and is a worthwhile resource for anyone interested in this critical IT industry job role.


Would you like more insight into the history of hacking? Check out Calvin's other articles about historical hackery:
About the Author
Aaron Axline is a freelance technology writer based in Canada.

Aaron Axline is a technology journalist and copywriter based in Edmonton, Canada. He can be found on LinkedIn, and anywhere fine coffee is served.