IT Auditing jobs?

[Dougmeister]

I'm tired of programming. I saw a job on Monster a while back for an IT Auditor position. I have a little bit of experience in that field, but not much. I'd like to research it and am wondering if anyone out there either works directly in that field or knows someone who does.

Should I pursue getting a certification? How else could I transfer the (maybe) 6 months I have of doing work that resembled IT Auditing into this? Does it usually involve a lot of travel?

 

[Jadow]

it may require travel. THey could be auditing a lot of things, security, internal controls, user access rights, business processes etc... Just about anything can be audited. With SOX, they audit that you're doing what you say you're doing, which could open up just about anything to an audit.

 

[RKS]

If this is similar to systems auditing, my brother did this for a couple years for a Big 4 accounting firm (E&Y). It was 90% travel. He had an accounting/finance degree but did take a Certified Systems Auditor exam.

 

[mcmilljb]

I interviewed for a position they called "information assurance analyst". Basically it was doing auditing of computer systems for the government, mostly DoD type stuff, to make sure they met security standards. The company acted like a 3rd party in certifying they met all the requirements. It had a decent mix of traveling time depending on which assignment you want/get. They had assignments all over the world, and the pay looked pretty good for an entry-level position. They also required as bachelors degree in a science field which seemed kind of excessive, but they said it was required by the government. Also no one likes auditors so you have to have thick skin and be pretty good at getting through bs.

Certifications help because you will be required to have them if you want to do certain government contracts, but they were pretty flexible about getting what was needed during the first month on the job. I would say experience is really the biggest factor though. If you don't know any thing about the system/software, you're pretty much useless. CISA and CISSP seemed highly desired though.

 

[TruePaige]

That makes me wonder if when I'm an accountant since I have a background in IT already if I could do something fun involving both...hmm

 

[JS80]

Originally posted by: TruePaige
That makes me wonder if when I'm an accountant since I have a background in IT already if I could do something fun involving both...hmm

don't do it it's wack. there is no exit plan. you pigeon hole yourself into a relatively worthless profession.

 

[kstu]

Originally posted by: JS80

Originally posted by: TruePaige
That makes me wonder if when I'm an accountant since I have a background in IT already if I could do something fun involving both...hmm

don't do it it's wack. there is no exit plan. you pigeon hole yourself into a relatively worthless profession.

This.

 

[TruePaige]

Originally posted by: kstu

Originally posted by: JS80

Originally posted by: TruePaige
That makes me wonder if when I'm an accountant since I have a background in IT already if I could do something fun involving both...hmm

don't do it it's wack. there is no exit plan. you pigeon hole yourself into a relatively worthless profession.

This.

Noted.

IT is scary like that. Some roles have no vertical growth.

 

[spidey07]

Originally posted by: Jadow
it may require travel. THey could be auditing a lot of things, security, internal controls, user access rights, business processes etc... Just about anything can be audited. With SOX, they audit that you're doing what you say you're doing, which could open up just about anything to an audit.

Pretty much. IT auditing is a scam, but you can make really good money at it. I'm not saying the profession is a scam, but the practice of it is. There is a lot of money to be made in this field and it is flooded with people who have no idea of what they are actually auditing.

Basically your knowledge in IT doesn't matter, your training should be in auditing. This entails selling your soul and going against everything you know in your heart to be bad, but doing it anyway. Again, very lucrative field this is.

 

[Red Squirrel]

Guessing it's auditing data centers and stuff for SAS70 compliance and what not. But guess it could be a lot of other things too.

 

[guyver01]

Our auditing department's "definition" is as follows:

The IT Audit Group is responsible for reviewing all operations and activities of <company name> and it subsidiaries. The purpose of the Audit Group is to perform an independent appraisal of business controls and their effectiveness.

 

[vital]

<-- IT Auditor
CISA certified, currently studying for CISSP. What kind of experience in IT Auditing do you have?

 

[jinduy]

IT auditing, from a software development standpoint, has mainly been about ensuring code in development is transferred from dev -> qa -> prod with separate groups (i.e. dev/qa/source control personnel) being responsible for each environment. So devs cannot write to production servers, for example. So many things go into it like ensuring developers have proper access. Then there's other stuff like making sure proper testing has been done (documentation, checksums of code, approval of testing results, etc).

That's stuff at the top of my head. Honestly I think it's a growing problem for big businesses and amounts to a lot of extra ($$$$) overhead in IT.

 

[dbk]

<- contract auditor....
never out shit to audit...

i have a friend who's an IT auditor...he doesn't like it that much

he's sick of IT (surprisingly)

 

[Zugzwang152]

Originally posted by: spidey07

Originally posted by: Jadow
it may require travel. THey could be auditing a lot of things, security, internal controls, user access rights, business processes etc... Just about anything can be audited. With SOX, they audit that you're doing what you say you're doing, which could open up just about anything to an audit.

Pretty much. IT auditing is a scam, but you can make really good money at it. I'm not saying the profession is a scam, but the practice of it is. There is a lot of money to be made in this field and it is flooded with people who have no idea of what they are actually auditing.

Basically your knowledge in IT doesn't matter, your training should be in auditing. This entails selling your soul and going against everything you know in your heart to be bad, but doing it anyway. Again, very lucrative field this is.

This is not entirely true. Like any other field, there are good and bad folks. Some people have no clue what they're doing, and others are actually quite knowledgable with hard experience in a field of IT. The pay, from what I've heard, is decentbut just like a financial auditor or accountant, the hours are long and very cyclical.

Good IT auditors have strong business knowledge and analytical skills. They don't need to understand IT systems at great depth, just at the conceptual level. This may be where spidey's opinion that their IT knowledge doesn't matter coms from. In reality, it does matter, you just don't need as much of it. Data analysis and general business knowledge help you much more than direct IT knowledge.

As part of the in-house security team for my company, I deal with IT and other auditors on a regular basis, and have formed a somewhat positive opinion of the profession. I'm actually looking into getting a CISA just to understand where they're coming from in greater depth.

 

[Ns1]

You test controls and make reports.

 

[Dougmeister]

As much as I hate being a consultant, and as much as I think I'm tired of programming, I *really* like my 40 hours a week.

Does IT Auditor definitely mean a lot of overtime? How much are we talking here?

 

[DT4K]

My definitions.

IT Auditor: Guy who knows nothing about IT, but shows up anyway to be a general pain in my ass and try to tell me to do fucking ridiculously impossible things that don't even make any sense, but give the false impression (to unknowledgeable idiots) that everything is being done "correctly" and in a way that ensures nobody can change anything without it being tracked and documented.

or

IT Auditor: Guy who everyone in IT fucking hates.

 

[rasczak]

Originally posted by: DT4K
My definitions.

IT Auditor: Guy who knows nothing about IT, but shows up anyway to be a general pain in my ass and try to tell me to do fucking ridiculously impossible things that don't even make any sense, but give the false impression (to unknowledgeable idiots) that everything is being done "correctly" and in a way that ensures nobody can change anything without it being tracked and documented.

or

IT Auditor: Guy who everyone in IT fucking hates.

It's a necessary evil. that's all I've got to say about that.

 

[DT4K]

Originally posted by: rasczak

Originally posted by: DT4K
My definitions.

IT Auditor: Guy who knows nothing about IT, but shows up anyway to be a general pain in my ass and try to tell me to do fucking ridiculously impossible things that don't even make any sense, but give the false impression (to unknowledgeable idiots) that everything is being done "correctly" and in a way that ensures nobody can change anything without it being tracked and documented.

or

IT Auditor: Guy who everyone in IT fucking hates.

It's a necessary evil. that's all I've got to say about that.

Only when it's required by law, like SOX crap.

The auditing that I've seen has no real benefit. It's all about having paperwork that says you're in compliance with whatever standards.

 

[zerogear]

I hate auditors, they make us do stuff Haha, Generally yeah, its to audit procedures to see if its up to corporate/company standards, may it be security settings/documentation/user rights on servers, etc.

 

[0roo0roo]

Originally posted by: mcmilljb
I interviewed for a position they called "information assurance analyst". Basically it was doing auditing of computer systems for the government, mostly DoD type stuff, to make sure they met security standards. The company acted like a 3rd party in certifying they met all the requirements. It had a decent mix of traveling time depending on which assignment you want/get. They had assignments all over the world, and the pay looked pretty good for an entry-level position. They also required as bachelors degree in a science field which seemed kind of excessive, but they said it was required by the government. Also no one likes auditors so you have to have thick skin and be pretty good at getting through bs.

Certifications help because you will be required to have them if you want to do certain government contracts, but they were pretty flexible about getting what was needed during the first month on the job. I would say experience is really the biggest factor though. If you don't know any thing about the system/software, you're pretty much useless. CISA and CISSP seemed highly desired though.

lol thats why the chinese have our f-35 design data now

 

[ggnl]

I do a lot of IT auditing as part of my job (internal auditor). I hate it compared to financial auditing, mainly because IT depts. are so fucking hostile compared to finance people who have a lot of experience with accounting and understand the value of audits.

 

[Gibson486]

sounds like a "consulting" position.

A firm hires a bunch of people to go out and get work by "improving" something in the process. In this case, it is the IT process. Improvements include but are not limited to upgrading existing infrastructure, outsourcing overhead work to the firm that wants the work, overseaing the upgrade of something (like moving a company to peoplesoft software), making a troubled network work and the list can go on.

There are a bunch of companies that could use this, but the companies really need something like this are engineering companies that have really stubborn IT departments. Those IT dept. will not let those people in the door, even though their IT dept is ruining company productivity (people who work on the business end of an engineering company, especially software, know what I am talking about). As a result, most of the work they end up doing is on the business end where things have been upgraded to death with upgrades that are useless. In the end, it creates a bigger mess because what they end up "fixing" usually makes something else broken. They don't have the current consultant come back, because it is not in their scope of work to fix it, so the consultant says, "hey, I am done, give me my money...if you want to change the scope, guess what, CHANGE ORDER", and he leaves. The company must now find another consulting firm to fix the problem that was left behind, or he can pony up the cash for a change order (which cost more than moving on to a different firm). It is this never ending cycle......

 

[ivan2]

never had one auditing my code, but from our stubborn IT folks all they do are reading from a manual.