During my audits, training & teaching sessions one of the frequent queries I came across is 'Sir, How do I become an IT Auditor? What are the qualification criteria?'
The best answer for this to quote from the famous book, Information Systems Control and Audit by Ron Weber: "To be a good auditor, you have to be better at business than your client"
The IS auditor or IT auditor should be able to comprehend what the business expects from information systems, what are the best IT practices, and whether the information systems of an organization realize these expectations and best practices. Since every business now more or less heavily dependent on information systems, management wants assurance from independent experts.
The purpose of information systems audit is to evaluate whether computer-based information systems fulfill the following aims:
- Safeguard IT / IS assets
- Maintain data availability, integrity & confidentiality
- Achieve organizational objectives effectively
- Consume resources efficiently
- Adhere to applicable Legal, statutory & Contractual regulations
As per clause 7.1 of ISO 19011 standard, competence of auditors is based on the demonstration of personal attributes and the ability to apply the knowledge and skills gained through the education, work experience, auditor training and audit experience.
The personal attributes required of an auditor are best explained under clause 7.2 of ISO 19011 standard and are as under:
An auditor should be:
a) ethical, i.e. fair, truthful, sincere, honest and discreet;
b) open-minded, i.e. willing to consider alternative ideas or points of view;
c) diplomatic, i.e. tactful in dealing with people;
d) observant, i.e. actively aware of physical surroundings and activities;
e) perceptive, i.e. instinctively aware of and able to understand situations;
f) versatile, i.e. adjusts readily to different situations;
g) tenacious, i.e. persistent, focused on achieving objectives;
h) decisive, i.e. reaches timely conclusions based on logical reasoning and analysis; and
i) self-reliant, i.e. acts and functions independently while interacting effectively with others
IT / IS Auditing comprise numerous career directions with different educational paths. In general, employers prefer employees with a graduate degree in Information Technology, Information Systems, though not mandatory. Apart from college education, professionals seeking IT auditing profession as a career may acquire knowledge and skills by attending various trainings depending the area of interest, as there are various categories in the spectrum of IT / IS Audits - Systems & Applications, IT Infrastructure & Enterprise Architecture, Systems Development, Telecommunications, Cloud Computing etc. to name a few.
Earning credentials by meeting educational, work experience and exam requirements from professional associations is a common avenue to career advancement for auditors, but not always mandatory. For example, ISACA offers various credentials including that as a Certified Information Systems Auditor (CISA) that is globally recognized as the best certification for IT / IS Auditors.
Further, IT / IS Audits are carried out against criteria defined in different standards; some of the popular standards, frameworks, Acts are COBIT, COSO, PCI, ISO 27001, ISO 9001, ITIL, SOX, HIPAA, SSAE-16 etc., to name a few. There could be additional competence requirements based on these standards.