What is Information Auditing?
January 27, 2016 10:00 AM Subscribe
Explain IT auditing to me, in plain terms, please.
Specifically, I mean IT auditing/IS audit control as would be practiced by someone seeking the CISA certification from ISACA. Where I'm most confused is about whether or not this is a practice that has any overlap with traditional financial auditing. Is this something an accountant can learn to do for IT firms? Or is this more of a QA/quality control review for IT?
I've searched this on multiple occasions and I infallibly end up tripped up in a mass of gobbledygook that makes no sense to me.
What is IT auditing? Is it related to traditional auditing? If not, what is the distinction? If it is, where is the dividing line? Is this something a person from accounting learns to do for IT companies? Or is this something an IT or networking professional would learn to do? Or neither. Or either. Or both.
Please assume my google fu is above average and that I've already read the top search results on this and related questions. This isn't an "I can't do an internet search so good" question. It's a "Hey, do you know about this thing? Can you explain this thing to me in a way that doesn't make my eyes roll back into my head?" kind of question.
Specifically, I mean IT auditing/IS audit control as would be practiced by someone seeking the CISA certification from ISACA. Where I'm most confused is about whether or not this is a practice that has any overlap with traditional financial auditing. Is this something an accountant can learn to do for IT firms? Or is this more of a QA/quality control review for IT?
I've searched this on multiple occasions and I infallibly end up tripped up in a mass of gobbledygook that makes no sense to me.
What is IT auditing? Is it related to traditional auditing? If not, what is the distinction? If it is, where is the dividing line? Is this something a person from accounting learns to do for IT companies? Or is this something an IT or networking professional would learn to do? Or neither. Or either. Or both.
Please assume my google fu is above average and that I've already read the top search results on this and related questions. This isn't an "I can't do an internet search so good" question. It's a "Hey, do you know about this thing? Can you explain this thing to me in a way that doesn't make my eyes roll back into my head?" kind of question.
In my experience it has usually involved an accounting firm that had internal IT specialists and others with specific domain knowledge, or had a contracting relationship with the same. The ones I have (very limited) familiarity are the SOC standards.
posted by ndfine at 10:34 AM on January 27, 2016 [1 favorite]
posted by ndfine at 10:34 AM on January 27, 2016 [1 favorite]
Generally, most people start with an IT skillset or equivalent experience. Occasionally there are team members with non-IT specializations (which may include finance) who liaise with the other team members who are do have the technical background.
The non-IT relevant skills that many people are lacking:
- Translating technical issues or 'geekspeak' to terminology understood by non-IT professionals. This may be part of the 'gobbledygook' you refer to.
- Report writing skills.
- Understanding legal/regulatory requirements.
posted by Ashlyth at 11:15 AM on January 27, 2016
The non-IT relevant skills that many people are lacking:
- Translating technical issues or 'geekspeak' to terminology understood by non-IT professionals. This may be part of the 'gobbledygook' you refer to.
- Report writing skills.
- Understanding legal/regulatory requirements.
posted by Ashlyth at 11:15 AM on January 27, 2016
This thread is closed to new comments.
An IT audit is centered around security, with a side order of license and/or regulatory compliance in some cases/industries. But, at least some members of an audit team do have to understand financial business systems, because very few companies that would have an IT audit wouldn't have ERP software, and in most companies this is the most sensitive and significant operating software in use.
When I look at job descriptions for auditors, I generally see two flavors: one is pure IT experience with no finance or accounting requirements. The other primarily describes an IT career with some experience and/or a degree in finance or accounting. (There's a whole world of IT professionals whose primary responsibilities are financial systems and reporting, though you may think of IT people as being strictly networking types.)
Additionally, finance types have more experience interpreting ponderous regulatory requirements. And some auditors are very industry specific like healthcare, pharma, or banking, and those auditors will have a more specialized skillset but it is very unlikely that they have no IT background.
So everyone involved is an IT professional, some are hybrids. I recommend reading job descriptions to get a much clearer picture of what the profiles are and what words tend to get used for the various industries, if you're trying to make some career direction decisions.
posted by Lyn Never at 10:31 AM on January 27, 2016 [2 favorites]