IT Auditing

I am considering an attempt to switch from a 2nd and 3rd line role into entry level IT auditing.

After passing the ITIL foundation exam, I am getting much more interested in the business/process side of things. We have recently been audited and it looked like inteesting work. I am pretty handy at writing proposals and reports.

Does anyone know how I could go about this? I have been looking at the CISA certification, but it requires a few years experience to get the cert. I'm not sure if it's acceptable to do the exam, then seek the experience.

Would my MCSA be of any use at all? I figure these auditors must have an idea about the stuff they audit but they are more interested in the how and why rather than the specific infrastructure?

Help would be appreciated. Thanks

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

Turgon

steve_f wrote: »

I am considering an attempt to switch from a 2nd and 3rd line role into entry level IT auditing.

After passing the ITIL foundation exam, I am getting much more interested in the business/process side of things. We have recently been audited and it looked like inteesting work. I am pretty handy at writing proposals and reports.

Does anyone know how I could go about this? I have been looking at the CISA certification, but it requires a few years experience to get the cert. I'm not sure if it's acceptable to do the exam, then seek the experience.

Would my MCSA be of any use at all? I figure these auditors must have an idea about the stuff they audit but they are more interested in the how and why rather than the specific infrastructure?

Help would be appreciated. Thanks

Shoot that fella eMEe an email Im sure he could give you some pointers. I have some experience of auditors. I endured a BS7799 audit back in 2002. They generally follow templates to harvest the details they need for their reports by asking specialists lots of questions, often quite high level questions. I ran into an old guy who passed himself off as a Security Specialist during my first contract. He had no qualifications to speak of, wasn't technical and hadn't heard of the CISSP. Go figure. He was generally bugging busy people with lots of questions about how does x work, do you have resilience, do you have back ups, what would you do if this broke or that broke, what would be the impact of this and that and how long to fix. You get the general idea. One guy said to me 'We have been through all this before' and was fairly convinced they would lay the guy off at some point soon, but he was still there when I moved on. Companies love auditors. It ticks a box

There are some good jobs in it so if that is what floats your boat get accredited. I wouldn't let a lack of masses of experience hold you back. Just get with the programme because more companies are doing this now.

eMeS

steve_f wrote: »

I am considering an attempt to switch from a 2nd and 3rd line role into entry level IT auditing.

After passing the ITIL foundation exam, I am getting much more interested in the business/process side of things. We have recently been audited and it looked like inteesting work. I am pretty handy at writing proposals and reports.

Does anyone know how I could go about this?

It depends on the industry that you're in. I'm primarily from financial services, where we were constantly subject to various audits, so it was common for everyone to be involved in some type of audit at some level most of the time. I'm not sure about other industries, but in financial services it's pretty easy to move into an audit role...basically you just need a pulse (and that's debatable). I'm not sure about the extent of auditing in other industries, or really how easy it is to approach.

There are a number of large companies that will come in and do various type of audits. It has been my experience that these companies tend to hire people right out of college, with little or no IT experience, and set them off with a handful of templates and questionnaires which somehow adds up to an "audit".

In my case my audit-related role has really a lot of fun. It basically involved managing an overall IT audit program and sending the fresh-out-of-college IT auditors on wild goose chases. In another role I was given the task of regularly looking for things that were wrong in the organization at any level, and then kicking people in the sack until it got fixed. In yet another role I setup an internal audit function for an ISO/IEC 20000 certification program.

I would say that once you do some audit work, it tends to lead to more audit work.

Personally I think this market is about to grow, given all of the new regulations that will follow both healthcare and financial reform here in the US.

steve_f wrote: »

I have been looking at the CISA certification, but it requires a few years experience to get the cert. I'm not sure if it's acceptable to do the exam, then seek the experience.

It's my personal opinion, but I think ISACA has a higher opinion of their certifications than the market does. I have no hard facts to back that up, other than that I could do ITIL, PM, IBM, even Microsoft work ad naseum if I wanted to, but rarely do I ever get any contact stemming from holding a CISA.

It is my understanding that you can take the exam before earning the experience. In fact, as I remember it, they don't even ask you to prove your experience until after you have passed the exam.

Another certification you might consider is the CIA. It's geared towards internal auditors, and I'm not sure of the experience requirements for it.

Certified Internal Auditor - The Institute of Internal Auditors

steve_f wrote: »

Would my MCSA be of any use at all? I figure these auditors must have an idea about the stuff they audit but they are more interested in the how and why rather than the specific infrastructure?

Call me crazy, but I think the best auditors have a strong technical background, and are constantly working to keep their technical knowledge relevant. However, most auditors (at least most that I've encountered) probably couldn't find the power switch on a computer.

That said, I'd say that there's plenty of Microsoft implementations that need to be audited, so understanding all of the things that you know to become an MCSA would likely be helpful.

MS

eMeS

Turgon wrote: »

Shoot that fella eMEe an email Im sure he could give you some pointers. I have some experience of auditors. I endured a BS7799 audit back in 2002. They generally follow templates to harvest the details they need for their reports by asking specialists lots of questions, often quite high level questions. I ran into an old guy who passed himself off as a Security Specialist during my first contract. He had no qualifications to speak of, wasn't technical and hadn't heard of the CISSP. Go figure. He was generally bugging busy people with lots of questions about how does x work, do you have resilience, do you have back ups, what would you do if this broke or that broke, what would be the impact of this and that and how long to fix. You get the general idea. One guy said to me 'We have been through all this before' and was fairly convinced they would lay the guy off at some point soon, but he was still there when I moved on. Companies love auditors. It ticks a box

I'd say that this largely matches my experience as well. Generally-speaking, organizations want to be seen to be doing the right things, often without the hard work that goes into actually doing things right. Audits often have the air of being a sheep-dip. One of the reasons that I think this is is because the auditing company generally wants to get additional business from the audited company, and so are reluctant to leave turds in the punchbowl.

Additionally, I think Turgon has been somewhat complimentary in his evaluation of these auditors...I've seen much worse.

MS

UnixGuy

Very useful information here, thanks eMeS & Turgon !

steve_f

This is great information, thanks everyone.

I work in an accountancy firm, and my boss has done a couple of IT audits in his time, but he hates it and admits to completely faking it and knowing nothing about proper IT auditing.

I am going to complete my MCSE (have the 293 exam in a few weeks time) but I'm going to express my interest in IT audit to my boss (and his boss) and see if they can send me on a course or allow me to tag onto the next audit.

eMeS

steve_f wrote: »

I work in an accountancy firm

You should be all set....good luck.

MS

Turgon

eMeS wrote: »

I'd say that this largely matches my experience as well. Generally-speaking, organizations want to be seen to be doing the right things, often without the hard work that goes into actually doing things right. Audits often have the air of being a sheep-dip. One of the reasons that I think this is is because the auditing company generally wants to get additional business from the audited company, and so are reluctant to leave turds in the punchbowl.

Additionally, I think Turgon has been somewhat complimentary in his evaluation of these auditors...I've seen much worse.

MS

hehehehe..ah! The right pie chart. God knows what they actually do with all that information they accumulate. Often times I think they have already decided what recommendations they will make before they do the audit and harvest information to produce the histogram they want. Meanwhile the company continues to tank. You can easily get a lot of paperwork generated that says 'We are doing great' when actually the company is hurtling down a ravine of excrement without a paddle.

On the flip side I can see a need for auditing, process and everything else. Just make it meaningful, useful, light touch and above all be good at it so everyone can concentrate their energies on doing their jobs as well as they can. A good auditor is like a good referee, he moves in and out efficiently without interfering with play.

I relate to the college grad thing. Often times it's kids sent off with clipboards and templates to ask the questions. Price Waterhouse do this and other big accountancy/auditing/management consultancy firms. They do the same with management trainees and trainee project managers too. I suppose they have to learn somehow. But yes, QA, auditing and PM (at least in my experience) seems to be the province of a lot of people who are not particularly very good at anything else so they get channeled in that direction. I suppose that in itself presents an opportunity for those who are really good at it because they stand out by a mile.

tpatt100

I guess my auditing background is technical in nature. I use checklists and a crap load of excel work keeping track of things. I know at my last job if we hired somebody without technical experience I doubt they would have made it far. We constantly have to assist the Windows/Unix teams when we find something and they are not sure how to make it compliant. Usually our scanners find something and its a version of a dll file that is flagging the box as having a vulnerability even though the sys admin said he patched the box.

eMeS

tpatt100 wrote: »

I guess my auditing background is technical in nature. I use checklists and a crap load of excel work keeping track of things. I know at my last job if we hired somebody without technical experience I doubt they would have made it far. We constantly have to assist the Windows/Unix teams when we find something and they are not sure how to make it compliant. Usually our scanners find something and its a version of a dll file that is flagging the box as having a vulnerability even though the sys admin said he patched the box.

I think it really all depends on what the organization wants out of the audit. Sometimes they simply want to check the box, whereas other times they really want to find things that are wrong and fix them. Honestly I've seen both situations, even within the same organization.

Truly skilled auditors with strong technical skills are definitely in the minority of what I've seen in auditing, particularly in the financial services world...

MS