An introduction to IT Audit & Information Assurance careers
Updated from the original published on July 1, 2010
Who should read this?
You’re here because you want to learn more about IT audit and assurance. So I’ll get straight to the point.
You’re probably here because you are interested in, or commencing, or early in career, in the field of IT audit and assurance. I welcome you and wish you the very best.
You may be here as a more experienced professional, evaluating or re-evaluating different routes or considering how best to develop your skills and your career. The opportunities are many, and I wish you continued success.
You might also be here because you are an audit client, a board member, or otherwise want to understand your auditors better. I commend you for your open minded approach and willingness to learn. It will be make you a better and more empathetic leader.
Whichever applies to you, welcome. This is all written, by hand, just for you.
How will this guide help me?
The IT Audit Careers Guide brings together all my writing on the topic of careers in IT audit and information (or cyber) assurance. This was originally posted on a website called ISRisk, and I have now updated it, added to it, and reposted it here because - 15 years later - it’s still popular. So much so that long after the original website died, people are still pulling it from Wayback Machine and asking me about it. When I took it offline, I didn’t realise it was helping people as much as it was. So now (if you like it) it’s here to stay. I hope you find it useful as you set out on your journey in audit and assurance.
Why should I listen to you?
It’s sensible to ask why I’m qualified to write about this. If everyone asked that before reading, there would me much less rubbish on the internet! I’m glad you asked though: you see - you’re asking good auditor questions already :-)
So here’s a little bit about me.
I started my career in financial audit at KPMG, auditing big technology and telecoms companies.
I continued it in public sector internal audit at RSM Tenon, with a focus on computer forensics and data analytics.
I moved fully into ‘computer audit’ (as it was then called) at a UK mutual lender, auditing a range of financial services companies.
I co-ordinated technology assurance for one of the worlds biggest banks
I was audited (a lot) at various global financial services companies, whilst running 1st line information security, client advisory and IT functions
I chaired the Audit Committee for a large social housing provider
I brought in new auditors following a financial meltdown at an NHS Foundation Trust
I chair the Audit Committee for a national financial services regulator.
Along the way I obtained a range of qualifications, including:
Chartered Certified Accountant (FCCA)
Certified in Information Systems Audit (CISA)
Qualified in IT Service Management (ITIL), Computer Forensics (Encase), and Project Management (Prince 2)
And various others.
So now we have met, we can get going without further formalities. Of course if you’d like to know more about me or ask me anything please do. You can find me on linkedin here (do follow and say hi).
What does the guide cover?
The guide is currently structured into four main parts
An introduction to audit, IT audit, and related assurance work. There are many different terms for these roles, but they all boil down to the same basic thing:
helping organisations achieve sustainable success by ensuring they are only taking intended risks. It sounds simple, enough, but unpacking that sentence is a difficult and rewarding business. Note the underlined words: pretty much everything difficult in assurance is explained by these two words. You might also be surprised that rather than jumping in to pen testing or network auditing, we talk about audit more generally. That’s intentional: auditors have been around for thousands of years, yet must technology auditing practice ignores this. As a result, we are destined to repeat mistakes. By looking at assurance in it’s widest context, we can make new and original mistakes instead of the same old ones. That way lies progess - and success.A section on qualifications and training. Be warned, this profession is unusual in have a surplus of competing and confusing certification bodies and schemes testing technical capability, combined with an deficit of professional bodies setting ethics and behaviours and professional practice requirements in a meaningful way. The result, of course, is snake oil. Don’t buy snake oil, and please don’t sell it. If you do, the organisation hiring you gets only fear, uncertainty and doubt. Qualifications are valuable and often quite rightly necessary, and claiming they universally are not is foolish. But look at them for what they are. Be discerning. There are easier paths and harder ones, but there are no shortcuts.
Information on different types of assurance role, to help you evaluate which could be right for you. This is largely self explanatory. My only guidance here it to remember there is rarely a single right path, and the ones that don’t lead where you think (or hope) are often the most interesting. Whatever you choose, keep learning.
Endnotes. Further thoughts for additional insight, and things I had fun writing, that might help you process and analyse the information in sections 1-3…. or they might not - but the only way to find out is to read the guide :-)
Good luck!
Matt
Help others considering a career in IT audit and cyber security assurance by sharing in the comments below.