The role information technology (IT) plays in the accounting industry is increasing. Therefore, if you are interested in both auditing and IT, pursuing the IT audit career path may prove very beneficial for you. So, how do you work in IT audit, and what are the advantages of doing so? You can use this information to get the answers to those and other questions you may have about IT auditing.
An IT audit is the analysis and assessment of an organizations’ IT infrastructure, policies, and operations. Consequently, IT audits align with the overall goals of the company to ensure the integrity of company data. Therefore, IT auditors objectively evaluate the accounting and information systems within a business. Then, they determine if the IT systems in place appropriately control a company’s assets. For IT auditors, their work involves examining a company’s physical security controls and overall business and financial controls. Then, they determine if the controls over the system are strong enough and whether external auditors can rely on the output of the system. Finally, IT auditors also confirm that there are no duplicate processes in place, as these processes can bog down the system without adding to security.
Modern companies are moving toward an integrated approach in which accounting professionals are cross-trained in IT and general auditing. This move helps to eliminate gaps in assessing risks associated with the multiple aspects of a company. Heretofore, coordinating financial, IT, and operational audits to assure sufficient assessment of all elements of corporate responsibility has been challenging. As companies become more aware of the security risks inherent in the modern way of doing business, demand for those with crossover skills in accounting and technology has increased.
The primary responsibility of IT auditors is to assess the controls, reliability, and integrity of the company’s IT environment. Such audits provide stores of information about the company’s IT plan, policies, procedures, and strategies. Therefore, companies engage in these audits in order to expose potential risks They then use this information to make changes necessary for improving risk management and corporate efficiency.
When compared to financial auditing, IT auditing generally relies less on accounting knowledge and more heavily on information system knowledge (but not exactly computer science).
For junior IT auditors, work involves:
For IT audit managers, the hardest part of this process is completing the first initial audit and figuring out how to test controls. When performing an initial IT audit, IT auditors must look at the systems upon which a company relies both in isolation and as part of a larger web. They also must understand how all the systems within the company fit together.
Once the IT auditor has mapped out this interdependent relationship, they can continue to follow that map each year, unless the business makes changes to the system. And, when companies do change their applications and processes, IT auditors must develop, test, and assess a revised testing strategy to verify if this strategy will be effective for the new process.
Generally, people working in IT auditing work fewer hours than people in public accounting. And although all auditors can expect to work long hours regardless of their specialization, those in IT auditing can typically expect to work between 50-55 hours per week during busy season (e.g., from 8:45 a.m. to 8:30 p.m. Monday through Friday). However, you should know that IT auditors working for understaffed firms may have to work many more hours than their counterparts at appropriately staffed companies. So, if you find yourself working for an understaffed firm, brace yourself to work long hours and weekends.
IT auditors do a great deal of traveling. However, the majority of an IT auditor’s engagements last for just 1-2 weeks, as their work is less extensive than the work of external audit teams. Furthermore, because IT auditors don’t operate under the strict guidelines that financial auditors do, IT auditors usually enjoy a less stressful work environment.
An IT auditor usually has 5-7 clients at any given time, whereas a financial auditor only works with 1-2 clients at a time. Consequently, one advantage of moving on to the next client every week or 2 is that you spend less time with clients you don’t love. You also get a more frequent change of scenery.
IT auditing tends to pay better than other areas of auditing. IT auditing offers a greater earning potential in part because the profession requires a specialized background. A shortage of high performers in this field is another reason for the elevated salaries of IT auditing. Therefore, IT auditors enjoy greater incomes than their more generalized peers.
And IT auditors can make even more when they have higher skill levels and additional certifications. In their recent salary analysis, Robert Half identifies the differences in pay within IT auditing by breaking the salaries down into percentiles. IT auditors with few specialized skills and little experience earn the lowest salaries and therefore land within the 25th percentile. Consequently, IT auditors with extensive experience and specialized skills or certifications bring in more money and therefore comprise the 75th and 95th percentiles.
In the U.S., entry-level IT auditors receive on average between $42,250 and $80,250.
And in cities with higher costs of living or a scarcity of talent, IT auditors can expect adjustments for the cost of living to raise their salaries. So, if you’re living in San Francisco, El Paso, or New York City, your income may be as much as 41%, 28%, and 40.5% higher than the stated average, respectively.
Likewise, IT auditors working in cities with a lower cost of living or an abundance of talent in this field will receive less. So, the income of IT auditors in Mobile, Alabama, is approximately 14% less than the stated average.
Once you have 1-3 years of IT auditing experience under your belt, then the range for your annual income is $62,250 to $119,000.
Again, the difference between the lower and higher salaries on this scale relates to skill sets and experience. IT auditors who earn more within this salary range (identified as the 75th percentile and 95th percentile) possess a stronger skill set and more experience than most of their peers.
Additionally, IT auditors in this category also receive higher pay rates when working in areas with higher costs of living and more scarcity of talent.
After you become a senior IT auditor, your salary will fall within the scope of $75,750 to $145,750.
Therefore, the pay increase from junior to senior IT auditor is quite notable.
On average, IT audit managers earn $97,500 to $185,500 annually.
So, if you have the dedication and drive to stay in IT auditing, then you can experience all the benefits of a sizable IT auditor salary.
A typical IT audit team contains a mixture of individuals with expertise in technology and accounting. So, you don’t need to major in accounting to work in the IT auditing field. However, knowledge in accounting allows you to think about the audit on a more conceptual basis and work more effectively with other members of the team. Therefore, as you move up the ranks, accounting knowledge becomes more useful.
The most relevant certification for IT auditing is the Certified Information Systems Auditor (CISA) designation. And securing the CISA is usually not too much of a challenge for IT auditors. You simply must acquire the necessary amount of experience, for which you can get waivers with your education, and pass the CISA exam.
However, if you aspire to head the internal audit department, then you’ll also need the Certified Public Accountant (CPA) license. Furthermore, a CPA license is a must if you want to become a partner within your company.
Having a master’s degree related to accounting and finance helps qualify you for the CPA license. Another CPA requirement you must meet is passing the CPA Exam. If you already have the right education, you should take the CPA Exam and meet the other requirements as soon as you can. Doing so enables you to start experiencing the benefits of the CPA earlier in your career.
What’s more, IT auditing work generally counts toward the CPA experience requirement for licensure. Therefore, by working in this highly valued area, you can both satisfy the demands of your credential and learn a specialized skill.
So, when you have both the CISA and CPA certifications, you’ll be an expert in accounting with a specialization in IT audit. And these are the tools you need to earn the salary of the 75th and 95th percentile of IT auditors.
The CIA is the Certified Internal Auditor certification. And many IT auditors wonder if having the CIA adds value to the IT auditor career path as the CPA does.
In truth, the worth of the CIA to an IT auditor is debatable. If you foresee IT auditing serving as your life-long career, then the CISA is the preferred certification for this niche. The CISA gives you multiple career options and a higher salary. However, if you aren’t sure that you want to spend the bulk of your career working in this area, and you like the opportunities a more general internal audit certification can afford, then you may want to acquire the CIA instead.
If you want to work as an internal auditor, then you’ll gain credibility, more money, and global recognition with a CIA certification. To experience these perks by earning the CIA, you must meet the CIA requirements. The education requirement asks for an associate’s degree at minimum, and the experience requirement demands at least 1 year of professional experience. Finally, the examination requirement involves passing all 3 parts of the CIA exam.
In truth, some auditors appreciate having both of these certifications. They use the CISA and the CIA to improve their career options and enter higher salary percentile levels. So, if you’d like to do the same, you should seriously consider earning one or both of these certifications.
More and more companies appreciate auditors with multiple certifications, but most firms still do not expect it. Therefore, you would be ahead of the game if you added a few sets of letters after your name.
Some people worry that being too specialized will pigeonhole them into one career for the rest of their lives. But one of the benefits of IT auditing is all the job opportunities that exist. Recruiters have an abundance of IT audit positions to fill. So, if you want to move beyond internal auditing, you’ll find plenty more IT audit-related positions, as security and privacy offer a variety of occupations.
Having at least 1 busy season under your belt before moving on to a new position or specialty area is a best practice. Therefore, most IT auditors transition to something new when they become senior.
As a member of an IT auditing team, you’ll be able to develop both your soft (people-oriented) skills and your technological skills. Then, you can work in other areas of technology like information security, technology risk and assurance, and cybersecurity. The connections IT auditing has with these other important areas of business is just one of the reasons why people expect this lucrative field to continue to grow faster than others.
IT auditors must understand the settings of various accounting and information systems and have the knowledge to test these systems. Consequently, Forbes recently identified 5 skills auditors need to succeed in today’s competitive market. These skills include strong communication abilities, emotional intelligence, critical thinking and business acumen, professional skepticism, and interpersonal skills.
Although no program of study or certification enables you to improve in all of these areas, many individuals find that continuing to seek education and growth in their areas of interest allows them to develop many of these skills. For example, earning an IT auditing certification like the CISA enables you to better understand the jargon used in both the technical and financial fields. Consequently, having the CISA enhances your ability to communicate with your team.
Most financial auditors lack an understanding of the IT side of a business. Therefore, IT auditors with a solid grasp of business are greatly advantaged. For example, having a CPA license gives IT auditors even more credibility within the financial team. Consequently, you can use the CPA to speak the same language and deflect unproductive pushback. So, possessing both business and technical skills makes you an invaluable member of the auditing team. Moreover, it also makes you someone worthy of significant compensation.
If you’d like to secure the CISA certification, you must provide proof of at least 5 years of experience in professional information systems auditing, control, or security. However, you can use your education and related job experience to waive some of this CISA requirement.
Furthermore, you must also pass the CISA exam. The CISA exam is one part featuring 150 questions about a job practice. These questions consist of task and knowledge statements representing the work performed in information systems audit, assurance, and control. Additionally, the job practice of the exam breaks down into 5 domains with the following coverage percentages:
The CISA exam is now available throughout the entire year. So, to pass it, you simply need to prepare using the CISA Review Manual and a CISA review course. A CISA review course ensures that you know everything you need to know about the exam content. It also gives you plenty of practice with exam-like questions. For these reasons, I always recommend supplementing the manual with a review course. And, I offer a comparison of the best CISA review courses to help you chose the right one for you.
After you’ve passed the exam and had your experience approved, you will receive your CISA certification. You’ll then need to maintain it by completing CISA continuing professional education (CPE) hours annually.
To get the CIA certification, you must meet all of the CIA requirements. We’ve mentioned that fulfilling these requirements involves having at least an associate’s degree, possessing the appropriate amount of professional experience according to your education, and passing the CIA exam. The average CIA exam pass rate is approximately 40%. Moreover, the CIA exam has 3 parts that test your knowledge in the following areas of internal auditing:
You can take each exam part one at a time and in any order. The CIA exam is available throughout the year. To have the best chance at achieving CIA exam success, you must invest in a CIA review course.
The CIA exam doesn’t come with any study materials as the CISA exam does. Therefore, the only way you can learn all of the exam content and practice with the exam questions is to buy a CIA review course. My comparison of the most popular CIA review courses will help you find the best course for you. And my CIA review discounts will help you save on the course you want.
Within 3 years of entering the CIA program, you must pass the CIA exam. But, you must also satisfy the education and experience requirements. Then, once you’ve obtained the certificate, you must maintain your certified status by earning a certain number of CIA CPE hours each year.
To get more help with the entire CIA process and learn how to pass each exam part on your first attempt, you can take my free CIA e-course. Learn more or sign up here!
I am the author of How to Pass The CPA Exam (published by Wiley) and the publisher of this and several accounting professional exam prep sites.