What exactly does it mean to be an "IT auditor"? To find out, we spoke to a former EY and Deloitte employee who spent the first 15 years of his career in the field.
🤔 But first, what's an auditor?
✨ "IT auditor" defined
❓Why do IT auditors exist?
🌈 What are the different types of IT auditors?
❌ What IT auditors are not
2. Where can I find internships?
To understand what an IT auditor is, it first helps to understand what auditors are in general.
An auditor is like a financial detective. They look at companies' financial records to make sure everything is correct and follows the rules. Their goal is to find mistakes, errors, or possible fraud.
Now, what does auditing mean in the context of IT?
Enter the IT auditor. While traditional auditors focus on financial records, IT auditors concentrate on an organization's IT infrastructure and systems. They make sure that everything from cybersecurity protocols to software development processes is functioning correctly and effectively.
In short, they verify that IT systems not only support the business but also protect it from vulnerabilities and risks.
IT auditors typically work at accounting firms.
Let's say you want to invest in a company. You'd probably want to check its finances (e.g. How much money it's making) before you make a decision.
But how do you know you can trust what a company says about its finances? This is where financial auditors come in. Every year, they go through a company's finances to make sure they're not fudging anything.
There's a slight complication though. Companies these days no longer record their finances with pen and paper. Instead, they use complex IT systems to do this.
So how do we know those IT systems are spitting out the right numbers? For example, how do we know someone hasn't hacked the system to change the numbers?
This is where IT auditors come in! IT auditors basically check that a company's IT systems are secure, reliable, and working properly so that financial auditors – and anyone who might invest in a company – have accurate information on how a company is actually doing.
IT audits are typically done together with or after financial audits. After we perform an IT audit, we'll offer an opinion to financial auditors like "All these IT systems that you're pulling data from are secure. The data should be accurate and you can rely on it."
There are three main types of IT auditors.
SOX auditors are the IT auditors we've mentioned so far – the ones who check a companies' financial IT systems and let financial auditors know if these systems are working as they should.
Because SOX audits often come as part of a public company's mandatory yearly financial audits, there's a stable demand for SOX auditors, which is also why most IT auditors do SOX audits.
But what does SOX stand for? SOX is short for the Sarbanes-Oxley Act (2002), a US law designed to improve corporate transparency and cut down on fraud.
For more context –
All public companies in the US have to undergo an independent financial audit on an annual basis before they can release their 10k. The majority of my experience has been working on the IT side of that.
What we do falls under SOX 404 (Section 404 of the Sarbanes-Oxley Act). We check every financially-relevant system at a company – this means:
- anything that processes financial data
- anything that's used for financial reporting
- anything that handles financial transactions
- adjacent systems where the data is used downstream to make financial decisions
All of these systems have what's called "IT controls," which are basically rules or required procedures that employees need to follow when interacting with the IT system.
For instance, say a company hires a new employee. This new will need access to e-mail and whatever applications the company has. In this case, the IT control here might be "Before access is given, it needs to be approved by the user's manager."
So if your job is a system administrator (which means you grant access when it's requested), you need to be aware of that control.
As IT auditors, we'd go in and "test" these sorts of controls. Typically this involves asking for a list of new users for the applications we're concerned with. We'd then ask for evidence that these new users were approved before being given access to the system. Say the system administrator emails a manager to ask for approval. We'd ask for a screenshot of the e-mail.
"SOC" stands for "Service Organization Control." "Service Organizations" are companies that sell their services to other companies. They're often referred to as "vendors."
Since companies rely heavily on their vendors for critical functions, they need to make sure their vendors follow good IT and financial reporting practices. (If your vendor gets hacked or goes out of business, you could go down too!)
This is where SOC auditors come in. They check a service organization to make sure they follow best practices. If the organization passes the audit, they'll become more attractive to potential clients, which is why organizations pay for SOC audits in the first place.
Here's some additional context.
IT auditors at any Big 4 public accounting firm or any mid-sized firm will do both SOX compliance and SOC reporting. Companies aren't required to have SOC reports but companies that are vendors to other companies will typically contract a public accounting firm to issue a SOC I or SOC II to sell business.
Say you're a company and you're considering a vendor that has a software solution that you can use. You'd ask them for their SOC I or SOC II report so you can form an opinion on the current state of that company. That'll help you form an opinion of the maturity of the company and how secure they are.
As an IT audit consultant, you'd advise companies on ways to prepare for IT audits.
Let's say a company is going to do a system implementation. Maybe they're implementing SAP or Oracle. They might hire a public accounting firm to come in and manage the system implementation from a compliance standpoint. IT consultants would make sure they're keeping the right evidence to eventually show auditors that they implemented the system correctly.
Note that IT auditors are distinct from the following roles.
The discipline of auditing is the same but the type of controls you're testing are different. What I mean by this is that the way you approach audits and do testing (e.g. the types of questions you ask) are the same. It's just that financial auditors look at financial controls instead of IT ones. You're testing different pieces of the business.
Some other differences are that:
- IT auditors are typically paid more than financial auditors.
- We don't need to dedicate two years of our lives to getting a CPA! We do need a CISA (Certified Information Systems Auditor) certification, but it's more like six months' worth of effort as opposed to two years.
- IT auditors have a less intense busy season. Our busy season lasts about four months (Oct-Feb), during which we work 50-60 hours a week. Financial auditors, on the other hand, work 70-80 hours a week (7 days a week) for two months in a row.
You can find plenty of internships on Prosple. We have a vast selection of internships curated for students like you. Just filter 'til you find the right fit!