Top qualities for a good IT auditor

Updated from the original published on June 29, 2010

Training and experience are well and good, but the truth is some people are just not cut out for professional audit and security roles. Others take years to realise that it’s the prefect fit for their them. Here we look at the top personality traits that help or hinder, and asks what auditors can do to address them.

1. An enquiring and observant mind
   If you’re someone who asks ‘why’ to everything, you have great potential. The key to good audit and assurance work is not to take a checklist and tick it off, but to understand the environment in which the entity operates and ask enquiring questions, such as ‘what would happen if…’ or ‘why didn’t they…’  That means asking questions about people as well as technology. If on the other hand an auditor never asks the key questions – how, why, who, when, what’s the risk (and where’s the evidence!), they will find only what management gives them to find. That’s not much use to anyone.

2. Attention to detail
   It’s all well and good to understand the big picture, but you also need to be able to grind through the intricacies of firewall configurations or project technical specifications. It’s not always interesting, but you can’t afford to neglect the smallest detail until you understand it, and you’re happy there’s no risk exposure arising from it.

3. Business acumen
   ‘You must be joking!’ I hear you say. ‘Auditors don’t understand business, they try to stop it!’. Not true. Firstly, you need to have a real feel for the business in order to assess risks accurately and consider controls in the context of the environment in which they exist. Secondly, you need to be able to talk the same language.

4. Confidence
   You only as good as your client thinks you are. If you don’t look, talk, and act like you know what you’re doing, you don’t know what you’re doing. Whether you’re interviewing operational staff or negotiating with your client’s Chief Executive, you need to have confidence – in your team, in your work, but mostly in yourself.

5. Optimism
   Surprised? Don’t be. Do be a cynic, absolutely be sceptical, and always be someone who says trust comes easier when you can verify it but with difficulty when you can’t. Just don’t be a pessimist, please. It does no good to go in assuming nothing will work, assuming controls will not be implemented, waiting for the worst and finding it everywhere. Be someone who looks objectively with an open mind – and comes up with a  positive, optimistic solution that gives the client a push forward, not a push over the edge. Plus, who would you rather work with or have working for you – the auditor who says it’s going to rain – or the auditor who hopes for sun, but brings an umbrella just in case?

6. An interest in technology, as well as people
   The five points above fit just as well for all assurance roles. An active interest in IT is the differentiator. If you just think financial or internal audit is boring, think IT audit is better paid, or have romantic dreams about ‘hackers’ and Angelina Jolie, forget it today and try something easier, like operational management or grounds maintenance (depending what takes your fancy). IT assurance or security roles are generally fun unless you’re not actually interested in things with plugs that go ‘beep’.

   You don’t need to have been a teenage hacker, think online gaming is more fun that a trip to the pub, or count sheep in binary when you’re trying to go to sleep (admittedly I’ve had a passable go at all three, but then I’m geek enough to write this stuff in my spare time). However if you’ve come this far and only gained a basic understanding of Microsoft Office, all the training in the world won’t make you interested enough. If on the other hand you can only converse with another human being in machine code and think B.O. is something that only affects other people who are daft enough to wash, maybe it’s time to take more of an interest in the people side?

This list is of course inherently subjective, and if you don’t have these qualities you may well have others that are worth just as much. Qualities you don’t have in abundance can always be worked on and improved. However, if you’re a disinterested, unfocused pessimist with a low sense of self worth, audit might not be the career for you!

What skills do you think a good IT auditr needs? Help others considering a career in IT audit and cyber security assurance by sharing in the comments below.