Expert: Don Sadler - 5/29/2009

Question
I have worked in IT for 12 years on and off as a contractor due to the bad job market for IT Pros. I have a BS in Information Technology and am interested to make a transition into the field of IT Audit. I heard and read so much about the demand for IT people to conduct Audits.  The certifications I would need in the field to open doors are the CISSP and CISA which requires experience to sit for the exam. My question is where do I start or what entry level certifications can lead me to these in the future after gaining some exposure?

Answer
I have had the pleasure of mentoring several experienced IT people as they mad the transition to IT Auditing.  It is not as difficult as you might think.  Auditing is nothing more than comparing ‘what is’ to ‘what should be’.  The problem many auditors have (due to lack of operational experience) is being able to adequately assess or understand ‘what is’ in order to make a valid comparison to ‘what should be’.  As a hiring authority, I would much prefer an experienced IT person to a pure auditor.  My background was deep in operations and I never really thought of myself as an auditor – which I believe accounts for the success I have enjoyed in being able to better communicate and relate to the people I audit.  You will have a similar experience.

I do not agree that you must meet experience requirements in order to take these certification tests.  It is my understanding that you may take the tests any time but you may not be certified until you have met the test AND experience requirements.  My advice would be to go the test you think most closely matches your experience.  A pass on that would boost your confidence and show that there is nothing particularly difficult on the tests so long as you know the subject.  Here is a link to the CISA test information (http://crum.pl/l7dj) there are a number of online resources for study/prep for the exam.

Auditing is educational as well as satisfying.  There is truly no better way to learn how a company actually works, from the executives all the way down to the hourly laborer. Audit covers it all, and in this profession you should quickly acquire a high degree of business acumen.  Further, Internal Audit is often a “spring board” or “launching pad” for internal promotions and growth within a company and/or industry.
In the US, the job prospects for internal auditors are excellent due to the Sarbanes-Oxley (SOX) legislation that was passed by congress in the wake of several big accounting scandals.  Here is a link that will provide US salary data for virtually any job.  See http://www.bls.gov/oco/home.htm for the information.

In your case, I would seek an internal audit position in your current company or another – I would avoid public accounting firms.  It is important that you fully understand the difference and distinction between Internal Auditors and External Auditors.  There are several differences between internal and external auditors that result in a symbiotic relationship that is both collaborative and adversarial.  Here is a quick overview

In the USA, External Auditors are required by the Security and Exchange Commission (SEC) for publicly traded companies.  Their purpose is to attest to the accuracy of financial statements.  In so doing, they are, by definition, focused on the past (backward looking).

Internal Auditors, on the other hand, are typically more process (solutions) oriented.  As such, they tend to be more focused on the future (forward looking).  Internal Auditors also have a fiduciary relationship to management.  In other words, they are on the same “team” as the company where they work whereas the External Auditors are definitely NOT on the same team.

This means that the Internal Auditors sort of “run interference” for the company to ensure that internal controls exist and are effective so that the External Auditors cannot find anything wrong and issue a negative opinion.  It also means that if the company is not publicly traded, they may not even have an Internal Audit group.

If the External Auditors issue a negative opinion or will not attest to the accuracy of the financial statements then the credit rating of the company goes down (since they are more of a risk to a lender), that follows by an increased cost of capital (borrowing money become more expensive due to a higher interest rate based on the increased risk).  When cost of capital increases, profit decreases as does earnings per share.

As far as individual advancement, it is best to seek training, education, experience, and credentials.  Join the professional associations available to you.  Some of the best known are:

- Institute of Internal Auditors (http://www.theiia.org)
- Information Systems Audit and Control Association (http://www.isaca.org)
- Association of Certified Fraud Examiners (http://www.acfe.com)
- American Institute of Certified Public Accountants (http://www.aicpa.org/)
- The International Information Systems Security Certification Consortium, Inc., (ISC)² (http://www.isc2.org/)

There is good training from many sources including local colleges.  Here is a link to various Internal Audit training resources (http://crum.pl/c7dk)