Enthusiasm for supporting and sharing guidance with the next wave of professionals is part of what makes ISACA’s global community unmatched.
Below, experienced IT audit professionals from the ISACA community share tips with up-and-coming auditors about how they can succeed in the modern audit landscape. Find more audit resources from ISACA here.
Understand Business Strategy and Processes Early
In the early years of IT auditing, new auditors were primarily tasked with learning key business processes and the IT controls that supported them. This often meant conducting extensive reviews of system transactions and their manual supporting documents, while supervisors concentrated on controls tied to the organization’s strategic performance.
Today, with advanced auditing tools, much of the manual work is automated. Working papers that once took days can now be completed in less than 30 minutes. For example, reviewing a service level agreement (SLA) now involves creating audit questions, uploading the SLA into the tool and using AI-powered data mining techniques to instantly extract relevant information and generate well-documented working papers. The auditor’s role is then to validate the accuracy of the matched sections and draw conclusions.
For those of us who have spent years in the trenches, this transformation is both exciting and remarkable. Yet it raises an important question: if document analysis and working papers can now be produced so quickly, what will new IT auditors focus on? The era of manual work is fading, and the demand for strategic, process-driven and analytical auditors is rising rapidly. This expectation will not rest solely on supervisors; it will extend to junior auditors as well, requiring them to take on greater responsibility and accountability early in their careers.
Learn to quickly understand the business strategy, core processes and performance measures. This accelerated understanding will be critical as technology reduces manual tasks.
- Ookeditse Kamau, AIGP, CIA, CRMA, CISA, CDPSE, ISO 27001 Practitioner and Lead Auditor
Start Where You Are
For newer and upcoming IT auditors, one key tip to excel is to start from where you are and master it deeply, even if your current role is not labelled “IT audit.” In my own journey as a bank internal auditor in Nigeria, I was initially restricted to reviewing controls strictly at branch level. Rather than seeing this as a limitation, I used it to build a strong foundation in core control concepts, process flows, segregation of duties and risk thinking. A major turning point was acquiring my CISA certification, which gave me both technical credibility and structured IT audit knowledge, leading to my deployment to the IT audit desk at Head Office to work with seasoned IT auditors. The lesson here: invest early in relevant certifications, but also ensure your practical understanding of controls and processes is solid—certificates open doors, but competence keeps them open.
Another powerful accelerator in my growth was active professional volunteering and continuous exposure beyond my day job. I deliberately volunteered with ISACA in several capacities, including the Emerging Trends Working Group, the IT Audit and Assurance Advisory Group, participation in the Introduction to AI for Auditors online beta course, and involvement in several audit program reviews, including PCI DSS. These experiences gave me early visibility into cybersecurity, AI, compliance frameworks and global audit practices, far beyond what my local role alone could offer. For upcoming IT auditors, this means you should not limit learning to your office—engage professional bodies, volunteer deliberately, review standards, test tools and contribute to the profession. This combination of strong fundamentals, targeted certifications and visible professional engagement is what truly accelerates growth and relevance in IT audit.
- Wole Davis, CISA, CFE
Cultivate Controlled Curiosity
There’s a dangerous sweet spot in IT audit where you know just enough to sound smart in meetings but not enough to actually be right—I've been there, we all have. The antidote? What I call “controlled curiosity,” or as I like to think of it, being professionally nosy without becoming that person everyone avoids in the hallway.
Early on, train yourself to ask one more question even when you think you've got it figured out. Someone says, “We have compensating controls”? Great—what are they, and can we see them in action? A system’s flagged as “low risk”? Cool, but why? Who decided that, and what were they smoking? (Kidding. Mostly.)
The trick is balancing your inner detective with pragmatism—you need to know when you’ve got enough evidence versus when you’re three hours deep into a rabbithole wondering how you got from reviewing access controls to reading about the history of mainframe architecture. The best auditors I know have this sixth sense, a little voice that whispers “Something's off here” when everyone else has moved on. They didn't download that instinct from a certification course—they developed it by staying curious, asking the slightly awkward questions and being skeptically friendly rather than cynically annoying.
- Anamika Roy, CA, MBA, CIA, CISA, CISM, AAIA | Director – IT Audit & Data Analytics
You Don’t Need to Know Everything
The technology field is complex and adapts at lightning speed, and early in your career it can feel overwhelming to keep up. Over time, what becomes clear is that you don’t succeed by trying to know everything; you succeed by committing to never stop learning. Staying curious, reading consistently and paying attention to how technology is actually being used in practice will serve you far better than memorizing frameworks without understanding how they apply. Continuous learning isn’t about perfection; it’s about staying engaged enough to recognize when something no longer makes sense and having the confidence to dig deeper.
As your understanding grows, so should your ability to see technology environments as interconnected systems rather than isolated components. Many of the most meaningful risks don’t live neatly within a single application or process; they emerge where systems meet, where responsibilities are unclear, or where assumptions go unchallenged. Developing this perspective takes time, and it’s not something you should try to do alone. Lean on your network early and often, such as other auditors, engineers, mentors and peers, to test your thinking, uncover blind spots, and learn from shared experience. Some of the most valuable insights you’ll gain won’t come from documentation or testing alone; they’ll come from thoughtful conversations.
- Chase Tramel, CISA, CRISC, Information Systems Audit Manager
Nurture an End-to-End Mindset
Two of the most valuable traits for new IT auditors are curiosity and a genuine love for continual learning. Curiosity drives auditors to dig deeper – to understand not just whata system does, but why it operates the way it does and how all the moving parts connect. When people ask why I pursued a career in audit, I often say it’s because I want to understand how things function from end to end: how an idea begins in one business unit, how it’s built on the back end, and how teams ensure it operates as intended while still protecting the organization, its employees, and the clients or end users who rely on it. That mindset of wanting to understand the full lifecycle of a process or technology is what transforms a good auditor into an exceptional one.
Equally important is committing to continuous learning. In the audit profession, people frequently rely on you for answers, whether they’re technical, operational, or even strategic. Building a habit of continual growth strengthens your knowledge base and your credibility. Learning doesn’t always have to be formal; it can come from pursuing certifications, reading industry blogs and articles, listening to podcasts, presenting on technology or security topics or teaching classes. Each of these activities exposes you to new perspectives and new developments in the field. Ultimately, continuous learning not only improves your skill set, but also helps you stay adaptable in a constantly evolving technological landscape.
- Laura Zannucci, Audit Manager, SBS CyberSecurity