The role information technology (IT) plays in the accounting industry is increasing. Therefore, if you are interested in both auditing and IT, pursuing the IT audit career path may prove very beneficial for you. So how do you find a job in IT auditing, and what are the advantages of doing so? You can use this information to get the answers to those and other questions you may have about IT auditing. We’ll show you how to become an IT auditor and why IT audit as a career might be right for you.
An IT audit is the analysis and assessment of an organizations’ IT infrastructure, policies, and operations. Consequently, IT audits align with the overall goals of the company to ensure the integrity of company data. Therefore, IT auditors objectively evaluate the accounting and information systems within a business. Then, they determine if the IT systems in place appropriately control a company’s assets.
An IT auditor’s work involves examining a company’s physical security controls and overall business and financial controls. Then, they determine if the controls over the system are strong enough and whether external auditors can rely on the output of the system. Finally, IT auditors also confirm that there are no duplicate processes in place, as these processes can bog down the system without adding to security.
Modern companies are moving toward an integrated approach in which accounting professionals are cross-trained in IT and general auditing. This move helps to eliminate gaps in assessing risks associated with the multiple aspects of a company. Heretofore, coordinating financial, IT, and operational audits to assure sufficient assessment of all elements of corporate responsibility has been challenging. As companies become more aware of the security risks inherent in the modern way of doing business, demand for those with crossover skills in accounting and technology has increased.
The primary responsibility of IT auditors is to assess the controls, reliability, and integrity of the company’s IT environment. Such audits provide stores of information about the company’s IT plan, policies, procedures, and strategies. Therefore, companies engage in these audits in order to expose potential risks. They then use this information to make changes necessary for improving risk management and corporate efficiency.
When compared to financial auditing, IT auditing generally relies less on accounting knowledge and more heavily on information system knowledge (but not exactly computer science).
For junior IT auditors, work involves:
For IT audit managers, the hardest part of this process is completing the initial audit and figuring out how to test controls. When performing an initial IT audit, IT auditors must look at the systems upon which a company relies both in isolation and as part of a larger web. They also must understand how all the systems within the company fit together.
Once the IT auditor has mapped out this interdependent relationship, they can continue to follow that map each year, unless the business makes changes to the system. And when companies do change their applications and processes, IT auditors must develop, test, and assess a revised testing strategy to verify if this strategy will be effective for the new process.
Generally, people working in IT auditing work fewer hours than people in public accounting. And although all auditors can expect to work long hours regardless of their specialization, those in IT auditing can typically expect to work between 50-55 hours per week during busy season (e.g., from 8:45 a.m. to 8:30 p.m. Monday through Friday). However, you should know that IT auditors working for understaffed firms may have to work many more hours than their counterparts at appropriately staffed companies. Thus, if you find yourself working for an understaffed firm, brace yourself to work long hours and weekends.
IT auditors do a great deal of traveling. However, the majority of an IT auditor’s engagements last for just one to two weeks, as their work is less extensive than the work of external audit teams. Furthermore, because IT auditors don’t operate under the strict guidelines that financial auditors do, IT auditors usually enjoy a less stressful work environment.
An IT auditor usually has five to seven clients at any given time, whereas a financial auditor only works with one to two clients at a time. Consequently, one advantage of moving on to the next client every week or two is that you spend less time with clients you don’t love. You also get a more frequent change of scenery.
As always, the answer to this question will depend on your personal strengths and preferences. Yes, IT audit jobs tends to have lower stress and shorter hours than public accounting in some scenarios, but you’ll also make less money and may need to travel. IT auditing is a growing profession with good job security. However, if you’d prefer to work with fewer clients and do well in high-pressure situations that come with higher salaries, financial auditing might be preferable.
Is IT auditing a good career for you? It might be, particularly if you enjoy…
As you look at IT audit careers, it’s important to know how an IT auditor’s job differs from that of a regular auditor.
In general, an auditor looks at a set of financial accounts and determines whether they’re accurate and provide a full picture of the business at hand. There are two main types of regular audits: internal and external.
Internal auditors work for the company or organization that they’re auditing. The company performs voluntary audits on itself in order to make sure its internal controls are doing what they’re supposed to. Additionally, internal auditors will review financial operations to ensure that the organization is operating efficiently. Certified Internal Auditors or CIAs do this kind of work. However, not all internal auditors are certified.
In contrast, external auditors are independent of the organization they’re auditing and are employed by outside firms. These audits are mandatory, not voluntary, since companies must publish accurate, independently-reviewed financial statements. CPAs (Certified Public Accountants) often perform external audits, creating reports based on the accounts prepared by in-house accountants.
On the other hand, an IT auditor’s primary job is to compare a client’s IT systems to a set of external guidelines. Essentially, regular auditing is concerned with finances and IT auditing is concerned with financial information systems. IT auditors look for flaws in policies and procedures as well as a client’s hardware and computing devices. You’ll look for vulnerabilities and make sure only the designated people have access to the information.
IT audits may also be internal or external, depending on who employs the auditor. This position is also sometimes called IS auditor, or information systems auditor.
IT auditing tends to pay better than other areas of auditing. IT auditing offers a greater earning potential in part because the profession requires a specialized background. A shortage of high performers in this field is another reason for the elevated salaries of IT auditing jobs. Therefore, IT auditors enjoy greater incomes than their more generalized peers.
And IT auditors can make even more when they have higher skill levels and additional certifications. In their recent salary analysis, Robert Half identifies the differences in pay within IT auditing by breaking the salaries down into percentiles. IT auditors with few specialized skills and little experience earn the lowest salaries and therefore land within the 25th percentile. However, IT auditors with extensive experience and specialized skills or certifications bring in more money and therefore comprise the 75th and 95th percentiles.
In the U.S., entry-level IT auditors receive on average between $42,250 and $80,250.
And in cities with higher costs of living or a scarcity of talent, IT auditors can expect adjustments for the cost of living to raise their salaries. So if you’re living in San Francisco, El Paso, or New York City, your IT audit salary may be as much as 41%, 28%, and 40.5% higher than the stated average, respectively.
Likewise, IT auditors working in cities with a lower cost of living or an abundance of talent in this field will receive less. Therefore, the income of IT auditors in Mobile, Alabama, is approximately 14% less than the stated average.
Once you have 1-3 years of IT auditing experience under your belt, then the range for your annual IT auditing salary is $64,000 to $122,000.
Again, the difference between the lower and higher salaries on this scale relates to skill sets and experience. IT auditors who earn more within this salary range (identified as the 75th percentile and 95th percentile) possess a stronger skill set and more experience than most of their peers. Additionally, IT auditors in this category also receive higher pay rates when working in areas with higher costs of living and more scarcity of talent.
After you become a senior IT auditor, your salary will likely fall within the range of $78,500 to $150,500. Therefore, the pay increase from junior to senior IT auditor is quite notable.
On average, IT audit managers earn $101,250 to $191,500 annually. Thus,, if you have the dedication and drive to stay in IT auditing, you can experience all the benefits of a sizable IT auditor salary.
A typical IT audit team contains a mixture of individuals with expertise in technology and accounting. Thus, you don’t need to major in accounting to work in the IT auditing field. However, knowledge in accounting allows you to think about the audit on a more conceptual basis and work more effectively with other members of the team. Therefore, as you move up the ranks, accounting knowledge becomes more useful.
The most relevant certification for IT auditor jobs is the Certified Information Systems Auditor (CISA) designation. And securing the CISA is usually not too much of a challenge for IT auditors. You simply must acquire the necessary amount of experience, for which you can get waivers with your education, and pass the CISA exam. This is the most direct IT auditor certification path.
However, if you aspire to head the internal audit department, then you’ll also need a Certified Public Accountant (CPA) license. Furthermore, a CPA license is a must if you want to become a partner within your company.
Having a master’s degree related to accounting and finance helps qualify you for the CPA license. Another CPA requirement you must meet is passing the CPA Exam. If you already have the right education, you should take the CPA Exam and meet the other requirements as soon as you can. Doing so enables you to start experiencing the benefits of the CPA earlier in your career.
What’s more, IT auditing work generally counts toward the CPA experience requirement for licensure. Therefore, by working in this highly valued area, you can both satisfy the demands of your credential and learn a specialized skill.
When you have both the CISA and CPA certifications, you’ll be an expert in accounting with a specialization in IT audit. And these are the tools you need to earn a salary in the 75th to 95th percentile of IT auditors.
The CIA is the Certified Internal Auditor certification. And many IT auditors wonder if having the CIA adds value to the IT auditor career path the way the CPA does.
In truth, the worth of the CIA designation to an IT auditor is debatable. If you foresee IT auditing serving as your life-long career, then the CISA is the preferred certification for this niche. The CISA gives you multiple career options and a higher salary. However, if you aren’t sure that you want to spend the bulk of your career working in this area, and you like the opportunities a more general internal audit certification can afford, then you may want to acquire the CIA instead.
If you want to work as an internal auditor, then you’ll gain credibility, more money, and global recognition with a CIA certification. To experience these perks by earning the CIA, you must meet the CIA requirements. The education requirement asks for an associate’s degree at minimum, and the experience requirement demands at least one year of professional work. Finally, the examination requirement involves passing all 3 parts of the CIA exam.
In fact, some auditors appreciate having both of these certifications. They use the CISA and the CIA to improve their career options and enter higher salary percentile levels. So if you’d like to do the same, you should seriously consider earning one or both of these certifications.
More and more companies appreciate auditors with multiple certifications, but most firms still do not expect it. Therefore, you would be ahead of the game if you added a few sets of letters after your name.
Some people worry that being too specialized will pigeonhole them into one career for the rest of their lives. But one of the benefits of IT auditing is all the job opportunities that exist. Recruiters have an abundance of IT audit positions to fill. Thus, if you want to move beyond internal auditing, you’ll find plenty more IT audit-related positions, as security and privacy offer a variety of occupations.
Having at least one busy season under your belt before moving on to a new position or specialty area is a best practice. Therefore, most IT auditors transition to something new when they become senior.
As a member of an IT auditing team, you’ll be able to develop both your soft (people-oriented) skills and your technological skills. Then, you can work in other areas of technology like information security, technology risk and assurance, and cybersecurity. The connections IT auditing has with these other important areas of business is just one of the reasons why people expect this lucrative field to continue to grow faster than others.
Former IT auditors on Reddit have reported finding roles in tech risk consulting, governance risk and compliance, or IT operations management after a career in audit. However, your specific opportunities will also depend on your educational background and professional certifications.
IT auditors must understand the settings of various accounting and information systems and have the knowledge to test these systems. Consequently, Forbes recently identified five skills auditors need to succeed in today’s competitive market. These skills include strong communication abilities, emotional intelligence, critical thinking and business acumen, professional skepticism, and interpersonal skills.
Although no program of study or certification enables you to improve in all of these areas, many individuals find that continuing to seek education and growth in their areas of interest allows them to develop many of these skills. For example, earning an IT auditing certification like the CISA enables you to better understand the jargon used in both the technical and financial fields. Consequently, having the CISA enhances your ability to communicate with your team.
Most financial auditors lack an understanding of the IT side of a business. Therefore, IT auditors with a solid grasp of business are at a greatly advantage. For example, having a CPA license gives IT auditors even more credibility within the financial team. Consequently, you can use the CPA to speak the same language and deflect unproductive pushback. So possessing both business and technical skills makes you an invaluable member of the auditing team. Moreover, it also makes you someone worthy of significant compensation.
If you’d like to secure the CISA certification, you must provide proof of at least five years of experience in professional information systems auditing, control, or security. However, you can use your education and related job experience to waive some of this CISA requirement.
Pass the CISA Exam
Furthermore, you must also pass the CISA exam, a single test featuring 150 questions. These questions consist of task and knowledge statements representing the work performed in information systems audit, assurance, and control. Additionally, the material on the exam breaks down into five domains with the following subject percentages:
The CISA exam is now available throughout the entire year. To pass it, you need to prepare using the CISA Review Manual and a CISA review course.
A CISA review course ensures that you know everything you need to know about the exam content. It also gives you plenty of practice with exam-like questions. For these reasons, I always recommend supplementing the manual with a review course. Additionally, I offer a comparison of the best CISA review courses to help you choose the right one for you.
One of my recommendations is the CISA SuperReview course, offered by Allan Keele and Certified Information Security. This course thoroughly covers all five domains with video lectures, a sizeable test bank, and dozens of practice exams. Moreover, you’ll have access to the review course creator Allan Keele himself by phone or email.
After you’ve passed the exam and had your experience approved, you will receive your CISA certification. You’ll then need to maintain it by completing CISA continuing professional education (CPE) hours annually. If you use CISA SuperReview, you can receive a certificate for 40 hours of CPE just by completing the course.
To get the CIA certification, you must meet all of the CIA requirements. We’ve mentioned that fulfilling these requirements involves having at least an associate’s degree, possessing the appropriate amount of professional experience according to your education, and passing the CIA exam. The average CIA exam pass rate is approximately 40%. Moreover, the CIA exam has three parts that test your knowledge in the following areas of internal auditing:
You can take each part one at a time and in any order. The CIA exam is available throughout the year. To have the best chance at achieving CIA exam success, you must invest in a CIA review course.
The CIA exam doesn’t come with any study materials as the CISA exam does. Therefore, the only way you can learn all of the exam content and practice with the exam questions is to buy a CIA review course. My comparison of the most popular CIA review courses will help you find the best course for you. And my CIA review discounts will help you save on the course you want.
Within three years of entering the CIA program, you must pass the CIA exam. Also, you must satisfy the education and experience requirements. Then, once you’ve obtained the certificate, you must maintain your certified status by earning a certain number of CIA CPE hours each year.
To get more help with the entire CIA process and learn how to pass each exam part on your first attempt, you can take my free CIA e-course. Learn more or sign up here!
I am the author of How to Pass The CPA Exam (published by Wiley) and the publisher of this and several accounting professional exam prep sites.
CIA UK: How to Become a Certified Internal Auditor UK
CIA Saudi Arabia: How to Become a CIA in Saudi Arabia
CIA Canada: Pass CIA Exam Canada for Certified Internal Jobs in Canada
CIA UAE: How to Pass the CIA Exam UAE for Certified Internal Auditor Jobs in UAE