The IT Audit Career Path: Salary, Hours, Certifications, and More

it audit

The role information technology (IT) plays in the accounting industry is increasing. Therefore, if you are interested in both auditing and IT, pursuing the IT audit career path may prove very beneficial for you. So, how do you work in IT audit, and what are the advantages of doing so? You can use this information to get the answers to those and other questions you may have about IT auditing.

What Is IT Audit?

An IT audit is the analysis and assessment of an organizations’ IT infrastructure, policies, and operations. Consequently, IT audits align with the overall goals of the company to ensure the integrity of company data. Therefore, IT auditors objectively evaluate the accounting and information systems within a business. Then, they determine if the IT systems in place appropriately control a company’s assets. For IT auditors, their work involves examining a company’s physical security controls and overall business and financial controls. Then, they determine if the controls over the system are strong enough and whether external auditors can rely on the output of the system. Finally, IT auditors also confirm that there are no duplicate processes in place, as these processes can bog down the system without adding to security.

Why Pursue an IT Auditor Career Path?

Modern companies are moving toward an integrated approach in which accounting professionals are cross-trained in IT and general auditing. This move helps to eliminate gaps in assessing risks associated with the multiple aspects of a company. Heretofore, coordinating financial, IT, and operational audits to assure sufficient assessment of all elements of corporate responsibility has been challenging. As companies become more aware of the security risks inherent in the modern way of doing business, demand for those with crossover skills in accounting and technology has increased.

What Does an IT Auditor Do?

The primary responsibility of IT auditors is to assess the controls, reliability, and integrity of the company’s IT environment. Such audits provide stores of information about the company’s IT plan, policies, procedures, and strategies. Therefore, companies engage in these audits in order to expose potential risks They then use this information to make changes necessary for improving risk management and corporate efficiency.

When compared to financial auditing, IT auditing generally relies less on accounting knowledge and more heavily on information system knowledge (but not exactly computer science).

For junior IT auditors, work involves:

  • reading through the system reports and IT policies
  • pulling samples and performing testing
  • doing walk-throughs
  • interviewing clients

For IT audit managers, the hardest part of this process is completing the first initial audit and figuring out how to test controls. When performing an initial IT audit, IT auditors must look at the systems upon which a company relies both in isolation and as part of a larger web. They also must understand how all the systems within the company fit together.

Once the IT auditor has mapped out this interdependent relationship, they can continue to follow that map each year, unless the business makes changes to the system. And, when companies do change their applications and processes, IT auditors must develop, test, and assess a revised testing strategy to verify if this strategy will be effective for the new process.

How Long Do IT Auditors Work?

Generally, people working in IT auditing work fewer hours than people in public accounting. And although all auditors can expect to work long hours regardless of their specialization, those in IT auditing can typically expect to work between 50-55 hours per week during busy season (e.g., from 8:45 a.m. to 8:30 p.m. Monday through Friday). However, you should know that IT auditors working for understaffed firms may have to work many more hours than their counterparts at appropriately staffed companies. So, if you find yourself working for an understaffed firm, brace yourself to work long hours and weekends.

Do IT Auditors Travel?

IT auditors do a great deal of traveling. However, the majority of an IT auditor’s engagements last for just 1-2 weeks, as their work is less extensive than the work of external audit teams. Furthermore, because IT auditors don’t operate under the strict guidelines that financial auditors do, IT auditors usually enjoy a less stressful work environment.

How Many Clients Do IT Auditors Have?

An IT auditor usually has 5-7 clients at any given time, whereas a financial auditor only works with 1-2 clients at a time. Consequently, one advantage of moving on to the next client every week or 2 is that you spend less time with clients you don’t love. You also get a more frequent change of scenery.

What Is the IT Auditor Salary?

IT auditing tends to pay better than other areas of auditing. IT auditing offers a greater earning potential in part because the profession requires a specialized background. A shortage of high performers in this field is another reason for the elevated salaries of IT auditing. Therefore, IT auditors enjoy greater incomes than their more generalized peers.

And IT auditors can make even more when they have higher skill levels and additional certifications. In their recent salary analysis, Robert Half identifies the differences in pay within IT auditing by breaking the salaries down into percentiles. IT auditors with few specialized skills and little experience earn the lowest salaries and therefore land within the 25th percentile. Consequently, IT auditors with extensive experience and specialized skills or certifications bring in more money and therefore comprise the 75th and 95th percentiles.

Entry-Level Information Technology Auditor Salary

it auditor salary

In the U.S., entry-level IT auditors receive on average between $42,250 and $80,250.

And in cities with higher costs of living or a scarcity of talent, IT auditors can expect adjustments for the cost of living to raise their salaries. So, if you’re living in San Francisco, El Paso, or New York City, your income may be as much as 41%, 28%, and 40.5% higher than the stated average, respectively.

Likewise, IT auditors working in cities with a lower cost of living or an abundance of talent in this field will receive less. So, the income of IT auditors in Mobile, Alabama, is approximately 14% less than the stated average.

Junior IT Auditor Salary

it auditor salary

Once you have 1-3 years of IT auditing experience under your belt, then the range for your annual income is $62,250 to $119,000.

Again, the difference between the lower and higher salaries on this scale relates to skill sets and experience. IT auditors who earn more within this salary range (identified as the 75th percentile and 95th percentile) possess a stronger skill set and more experience than most of their peers.

Additionally, IT auditors in this category also receive higher pay rates when working in areas with higher costs of living and more scarcity of talent.

Senior IT Auditor Salary

it audit

After you become a senior IT auditor, your salary will fall within the scope of $75,750 to $145,750.

Therefore, the pay increase from junior to senior IT auditor is quite notable.

Information Technology Audit Manager Salary

it audit

On average, IT audit managers earn $97,500 to $185,500 annually.

So, if you have the dedication and drive to stay in IT auditing, then you can experience all the benefits of a sizable IT auditor salary.

How Can You Pursue the IT Audit Career Path?

A typical IT audit team contains a mixture of individuals with expertise in technology and accounting. So, you don’t need to major in accounting to work in the IT auditing field. However, knowledge in accounting allows you to think about the audit on a more conceptual basis and work more effectively with other members of the team. Therefore, as you move up the ranks, accounting knowledge becomes more useful.

Get the CISA

The most relevant certification for IT auditing is the Certified Information Systems Auditor (CISA) designation. And securing the CISA is usually not too much of a challenge for IT auditors. You simply must acquire the necessary amount of experience, for which you can get waivers with your education, and pass the CISA exam.

Consider the CPA

However, if you aspire to head the internal audit department, then you’ll also need the Certified Public Accountant (CPA) license. Furthermore, a CPA license is a must if you want to become a partner within your company.

Having a master’s degree related to accounting and finance helps qualify you for the CPA license. Another CPA requirement you must meet is passing the CPA Exam. If you already have the right education, you should take the CPA Exam and meet the other requirements as soon as you can. Doing so enables you to start experiencing the benefits of the CPA earlier in your career.

What’s more, IT auditing work generally counts toward the CPA experience requirement for licensure. Therefore, by working in this highly valued area, you can both satisfy the demands of your credential and learn a specialized skill.

Double Up on Certifications

So, when you have both the CISA and CPA certifications, you’ll be an expert in accounting with a specialization in IT audit. And these are the tools you need to earn the salary of the 75th and 95th percentile of IT auditors.

Should You Earn the CIA Certification?

The CIA is the Certified Internal Auditor certification. And many IT auditors wonder if having the CIA adds value to the IT auditor career path as the CPA does.

Do You Always Want to Work in IT Auditing?

In truth, the worth of the CIA to an IT auditor is debatable. If you foresee IT auditing serving as your life-long career, then the CISA is the preferred certification for this niche. The CISA gives you multiple career options and a higher salary. However, if you aren’t sure that you want to spend the bulk of your career working in this area, and you like the opportunities a more general internal audit certification can afford, then you may want to acquire the CIA instead.

If you want to work as an internal auditor, then you’ll gain credibility, more money, and global recognition with a CIA certification. To experience these perks by earning the CIA, you must meet the CIA requirements. The education requirement asks for an associate’s degree at minimum, and the experience requirement demands at least 1 year of professional experience. Finally, the examination requirement involves passing all 3 parts of the CIA exam.

Do You Want to Make More Money?

In truth, some auditors appreciate having both of these certifications. They use the CISA and the CIA to improve their career options and enter higher salary percentile levels. So, if you’d like to do the same, you should seriously consider earning one or both of these certifications.

More and more companies appreciate auditors with multiple certifications, but most firms still do not expect it. Therefore, you would be ahead of the game if you added a few sets of letters after your name.

How Can You Move On from an IT Auditing Career?

Some people worry that being too specialized will pigeonhole them into one career for the rest of their lives. But one of the benefits of IT auditing is all the job opportunities that exist. Recruiters have an abundance of IT audit positions to fill. So, if you want to move beyond internal auditing, you’ll find plenty more IT audit-related positions, as security and privacy offer a variety of occupations.

Having at least 1 busy season under your belt before moving on to a new position or specialty area is a best practice. Therefore, most IT auditors transition to something new when they become senior.

As a member of an IT auditing team, you’ll be able to develop both your soft (people-oriented) skills and your technological skills. Then, you can work in other areas of technology like information security, technology risk and assurance, and cybersecurity. The connections IT auditing has with these other important areas of business is just one of the reasons why people expect this lucrative field to continue to grow faster than others.

What Can You Do to Become a Better IT Auditor?

IT auditors must understand the settings of various accounting and information systems and have the knowledge to test these systems. Consequently, Forbes recently identified 5 skills auditors need to succeed in today’s competitive market. These skills include strong communication abilities, emotional intelligence, critical thinking and business acumen, professional skepticism, and interpersonal skills.

Verify Your IT Auditing Skills

Although no program of study or certification enables you to improve in all of these areas, many individuals find that continuing to seek education and growth in their areas of interest allows them to develop many of these skills. For example, earning an IT auditing certification like the CISA enables you to better understand the jargon used in both the technical and financial fields. Consequently, having the CISA enhances your ability to communicate with your team.

Learn the Language of Business

Most financial auditors lack an understanding of the IT side of a business. Therefore, IT auditors with a solid grasp of business are greatly advantaged. For example, having a CPA license gives IT auditors even more credibility within the financial team. Consequently, you can use the CPA to speak the same language and deflect unproductive pushback. So, possessing both business and technical skills makes you an invaluable member of the auditing team. Moreover, it also makes you someone worthy of significant compensation.

How Can You Start Your CISA Career Path?

If you’d like to secure the CISA certification, you must provide proof of at least 5 years of experience in professional information systems auditing, control, or security. However, you can use your education and related job experience to waive some of this CISA requirement.

Pass the CISA Exam

Furthermore, you must also pass the CISA exam. The CISA exam is one part featuring 150 questions about a job practice. These questions consist of task and knowledge statements representing the work performed in information systems audit, assurance, and control. Additionally, the job practice of the exam breaks down into 5 domains with the following coverage percentages:

  • 1: The Process of Auditing Information Systems (21%)
  • 2: Governance and Management of IT (16%)
  • 3: Information Systems Acquisition, Development, and Implementation (18%)
  • 4: Information Systems Operations, Maintenance and Service Management (20%)
  • 5: Protection of Information Assets (25%)

The CISA exam is now available throughout the entire year. So, to pass it, you simply need to prepare using the CISA Review Manual and a CISA review course. A CISA review course ensures that you know everything you need to know about the exam content. It also gives you plenty of practice with exam-like questions. For these reasons, I always recommend supplementing the manual with a review course. And, I offer a comparison of the best CISA review courses to help you chose the right one for you.

After you’ve passed the exam and had your experience approved, you will receive your CISA certification. You’ll then need to maintain it by completing CISA continuing professional education (CPE) hours annually.

How Can You Start Your CIA Career Path?

To get the CIA certification, you must meet all of the CIA requirements. We’ve mentioned that fulfilling these requirements involves having at least an associate’s degree, possessing the appropriate amount of professional experience according to your education, and passing the CIA exam. The average CIA exam pass rate is approximately 40%. Moreover, the CIA exam has 3 parts that test your knowledge in the following areas of internal auditing:

You can take each exam part one at a time and in any order. The CIA exam is available throughout the year. To have the best chance at achieving CIA exam success, you must invest in a CIA review course.

Pass the CIA Exam

The CIA exam doesn’t come with any study materials as the CISA exam does. Therefore, the only way you can learn all of the exam content and practice with the exam questions is to buy a CIA review course. My comparison of the most popular CIA review courses will help you find the best course for you. And my CIA review discounts will help you save on the course you want.

Within 3 years of entering the CIA program, you must pass the CIA exam. But, you must also satisfy the education and experience requirements. Then, once you’ve obtained the certificate, you must maintain your certified status by earning a certain number of CIA CPE hours each year.

To get more help with the entire CIA process and learn how to pass each exam part on your first attempt, you can take my free CIA e-course. Learn more or sign up here!

Please rate this

About the Author Stephanie

I am the author of How to Pass The CPA Exam (published by Wiley) and the publisher of this and several accounting professional exam prep sites.

follow me on:
  • Elias says:

    I work in IT Field, how can I start a career in IT Audit?

    • Stephanie says:

      Hi Elias,
      You can work towards it gradually, for example, start taking a class on IT audit or take the CISA exam to show your commitment. You won’t be able to get the CISA qualification until you get the relevant experience, but the fact that you take and pass the exam show you are serious and with your existing IT knowledge it should be a smooth transition. Good luck! Stephanie

  • hannah2822 says:

    I had a bachelor degree in AIS but I started out as a general external auditor. I basically could not remember anything that I learned. I just got my CPA and have probably have 2 years experience. So, what would you suggest me to do to transit to IT or Internal audit?

    Thanks!

    • Stephanie says:

      Hi Hannah, I believe transiting from external to internal audit is pretty smooth. It’s probably the easiest route to IA in my opinion (most IA start with doing something else). As for IT, your AIS knowledge will come back once you put the theories in practice. Not a problem in my opinion as long as you have the right attitude to learn, be humble but at the same time stay positive and helpful for your team. Good luck! Stephanie

      • Hannah says:

        Thanks for your answer…
        Because I do not work in Big4, there’s no IT/internal audit department in my firm. I would have to get a new job if I want to be IT/Internal audit. However, it look like I would have to have solid 3 experience to get an entry-level?
        I do not want to start from entry-level when I am already a senior…or is it something that I have to sacrifice.?

        • Stephanie says:

          Hi Hannah, not necessarily as many companies value external audit experience as well. From my observation, many IA departments hire people in various background — some more IT oriented, some external auditors, some corporate accounting people… they like a good mix of different skills. You can start talking to a recruiter or friends in the industry to find out more.

  • Damion says:

    Hi Hannah. I’m currently a junior in college majority I’m Accounting. Should I go for a Master’s degree in Management Information Systems to better my chances in It audit?

  • Jay Bhadra says:

    I am a recently qualified Chartered Accountant from Institute of Chartered Accountants of India. I wish to pursue CISA but I would like to know how much it would help if I were to join a company giving me a Forensics related work with financial background. Would CISA be of great help in that case?

    • Stephanie says:

      Hi Jay, there are some niche qualification for forensic accounting but I don’t know enough to comment. I guess CISA is helpful if your work involves IT audit, which is possible in Forensis, but I can’t say it is directly related. Maybe you can try to get into the industry first and go for CISA later?

  • Martin says:

    Good day

    I would like to start a truly successful career in IT Auditor but i don’t have undergraduate degree. I am certified and working as an IT Technician. How would i go about starting this path?

    Regards

    • Stephanie says:

      Hi Martin,
      In terms of eventually getting the CIA certification, do you have an associate degree, or some kind of post-secondary school (post-high school) education? This is acceptable as well but you will need 5 years of IA experience down the road…

      … or see if you have start as an accountant assistant and start from there. I tend to think that, if you end up getting the CIA certification, it will put you back in the level playing field.

      Here is more info:
      https://ipasstheciaexam.com/cia-exam-requirements/

  • Jason Anderson says:

    Hello, Stephanie!

    I have a degree in accounting, and have been experimenting with I.T. for a very long time (over ten years). While I haven’t worked in the I.T. industry, I do have knowledge on how to setup and troubleshoot I.T. I’m currently pursuing a career in information system auditing (I’ve even passed the CISA exam), yet I can’t seem to find work in auditing. It’s true I’ve never worked in accounting, and I just graduated. But, apparently, no one’s hiring.

    Do you have any advice on getting an audit job?

    • Stephanie says:

      Hi Jason, your background should be great for IT audit! It is a more specialized niche so I have to say the demand is probably less than, say, external audit. But you just graduated right? No worries, take the time to network, and keep contact with recruiters (LinkedIn is a great place for that). Be a likeable person, and keep in touch with people. The opportunity will come 🙂

      Did you get called for interviews? If not, then you may want to improve your resume; if you do get interviews and not the job, then the bottleneck is more on the interview skills. Things will slow down towards the holidays. Let me know how it goes in January!

      • Jason Anderson says:

        Thank you for the reply, Stephanie. I actually graduated a year ago. As for the network, well, that’s not really helping. I am on LinkedIn, though. So you recommend looking for recruiters on LinkedIn? I shall look on that, then.

  • Geetha says:

    Hi,
    I have a bachelors in accounting and worked in auditing as well as finance associate jobs….but I do not have any knowledge about information technology……is there any degree out there to give me general idea about information systems and then I try for Cisa or with this background I would be able to do cisa…. I think an information systems degree would help me.,if it does then please suggest me one….

    Thanks

    • Stephanie says:

      Hi Geetha, there are such specialized degrees but you probably don’t need a degree for career switch? Auditing is close enough. Taking the CISA exam is the right direction with relatively time and effort and money… Having said that, if you are really serious about IT audit career you can take a master’s. I don’t have this info but depending on where you’d like to take this degree, the info shouldn’t be hard to find 🙂

  • Vasan says:

    I’m working as a IT aduiter and I have 2 year Exp in this field, Can you please suggest where i get good career and opportunity IT audit or Development(Planning to go in software development)

    • Stephanie says:

      Hi Vasan, it really depends on where you live — but this position is probably more common in bigger companies where they can afford to specialize in niches within audit. You may want to check with your local recruiters and head hunters for more info. Good luck!

  • harshit says:

    Hi, I am just about to complete my BTECH in INFORMATION TECHNOLOGY and i really want to prepare for CISA but don’t know how to start. I m also confused about the career opurtunity i will get if i pass this exam. CAN u please guide me through a bit

  • Mtha says:

    hi,

    I have been in accounting field for more than 5 years and I want to divert to IT auditing, with that I decided to enrol for a Bcom IT Management which I will be completing this year.How are the growth opportunities within this sector? What skills do I really need to have coz I don’t think I am that technical?

    regards
    Mtha

    • Stephanie says:

      Hi Mtha,
      I tried to address the growth opportunities and how one can be a better IT auditor in the above article. Don’t have anything more to add for now… but you may want to try talk to people in the industry (the professors or graduated students in the BCOM IT management for example) and get some insights. Regards, Stephanie

  • Sunaina says:

    I am a computer engineer who has more than 9 years of experience in the network security domain as a tester. I recently passed my CISA exam. I would like to know if what job roles would be best suited for me in information security/ auditing using this certification.

  • Joanne says:

    Hi,
    I’m currently an Accounting Information Systems major. I am interested in IT Auditing. Would it be worth it to have both a CPA and CISA certification even if I do not plan to become a partner for a firm or head of the IA department? I know that some people who work in IT auditing (with CISA certification) after a few years do decide to change jobs and work in the private accounting instead of public accounting. Is it still worth it though to do both examinations? Or just CISA?

    Thank you so much!

    • Stephanie says:

      Hi Joanne, I would say CISA is a technical certification while CPA would be more strategic. So when your role is technical, CISA is good and good enough. But as you move up and possibly get involved in more strategic roles, it’s the time when the CPA license shows its value. You never know where you’ll be down the road. If you can afford the time to get CPA now, I encourage you to explore that.

  • Mokona says:

    Hi. I’m a CPA with less than 1 year of experience in General Accounting. I like to be an IT Auditor someday, but my problem is that I can’t find a job for a CPA with little experience that relates to IT Auditing. I only found them at big 4 auditing firms, but sadly, It’s hard for me to enter the big 4. I already tried thrice but still no luck. Is there other positions or field that I can go to first for me to be an IT Auditor? Can I work at a small audit firm or internal audit and still acquire enough knowledge to be an IT Auditor and also to pass the CISA exam? I don’t know any IT Auditors that’s why I can’t get an advise. I’m also planning to enroll on a 1 year post baccalaureate diploma in Information Technology.

  • Arunmoy says:

    I am a b.tech(engineer) graduate in Computer Science Engineering.I recently joined IT Audit and Assurance team as a trainee in KPMG(KGS,Bangalore,India). I want to know about my career growth in this field also I want know if I want to move into technical which technical field could be the best one for me how shall I move into technical .As a company how far KPMG is good to start with this career and also in terms of salary?

    • Stephanie says:

      Hi Arunmoy,
      KPMG as one of the big 4 is among the best place to get started in audit in general. IT audit is pretty technical in nature, so I wonder what you mean by moving in technical? You can get a niche qualification such as CISA to gain the expertise level and respect. If you like the work, I encourage that you stay as long as you can to take advantage of the brand of KPMG. It’s going to be very useful down the road if you stay for at least a few more years. Regards, Stephanie

  • lee says:

    greeting am currently doing my degree in accounting and would like to major in systems audit.Which path should i take after the degree.

    • Stephanie says:

      Hi Lee, I would say try the path that you have most passion in! There may be other jobs that pay more, but in the long run, it’s much easier for you to excel when doing something you truly enjoy. Good luck! Stephanie

  • >