What are some major difficulties if one were to work for IT Audit, and Accounting? Also, what are some programming languages that suit IT Audit?

Hi David, I spent about 8 years as an internal auditor, and I received the Certified Internal Auditor (CIA) designation from the Institute of Internal Auditors (IIA). Most of the career IT auditors I worked with made it a point to get their Certified Information Systems Auditor (CISA) designation. You can find information about this on www.isaca.org .

When I was auditing, one of the areas I specialized in was computer assisted auditing techniques (CAATs). I would use a product called ACL to do this. There are a handful of tools on the market which accomplish the same things. Today I like to use Microstrategy for data mining and analysis. There are free tools like R which can also be used.

Anyhow, to be effective at this it is good to understand database structure, be able to access data (usually do this through sql), and be able to connect how actions in real life are represented in data form, so you can look for anomalous activity. Here's a real world example: sometimes companies limit the amount of money their managers can spend before asking for approval from someone higher than them in the organization. Let's say a manager is allowed to buy things that cost up to $5,000 without getting approval from their director. If you are using CAATs, you might look at your accounts payable data and see one manager with several transactions for $4,999. This indicates they are splitting up the cost of a much larger purchase to circumvent the internal controls (the $5,000 limit). Or, they found a way to buy an expensive item without having to ask their manager by splitting the payments up so each one falls under the $5,000 threshold.

From what I can remember, IT auditors often spend time looking at internal control design and effectiveness. Things like access controls (who can access which records within a system?), data center controls (are the servers secure and maintained with proper fire suppression, cooling, and back-up power), etc.

I was really interested in web design and ended up an auditor and did very well with it, so maybe it will work for you as well! One thing I can say is auditing won't provide the same work environment, but you will learn a ton about business and the career path and pay is rather good, especially once you get some years of experience under your belt.

Hi David,

I work in a business team that does security, data quality, data support, reporting, and IT projects. My team is in accounting and we work really closely with the audit teams. The only difficulty in the area of IT audit and accounting is that you must be interested in both the technical side and the business side of the company. For instance, my team has to understand what the accountants need, what is required for our business controls, and be technical also. My team focuses primarily on SQL programming although we do have team members that know VBA, various reporting tools, and SQL Server coding. I would say at least at Dell, the most important thing to know would be SQL. There are audit tools that some companies use, but in the end, data is the most important part of the equation. Many of my team members have been considered for audit positions because they understand the business and can pull data to support the audit process.

I hope that helps!
Best Wishes, Mark

Hi David,

I have seen that you have received a lot of really good advice and I just wanted add to what some have already mentioned. The IT audit profession is growing rapidly! I have spent the last three years working in support of the financial state audit by testing system automation for processing of transactions and IT general controls.IT general controls are made up of Logical Access (how a system is accessed and who has access to a system), Change Management (the process for governing changes to a production system), and Computer Operation (how data is transfered between systems within an environment).

There is more to IT Audit though than just supporting the financial statement audit that publicly traded companies are required to obtain. Any regulation that requires compliance will require an audit and somepoint to validated that a company is in compliance with the law or standard. An example of other types of audits that an IT Auditor may preform are PCI DSS (<span style="color: rgb(34, 34, 34);">Payment Card Industry Data Security Standard </span>) or GDPR (General Data Protection Regulation). GDPR is the newest regulation that was put in place within the EU that protect EU citizens data which effects all companies that operate or perform business within the EU, which most major companies do to some degree.

My recommendations would be that you add a second major or minor in accounting as the major systems in a companies IT environment will have accounting implications and in order to best audit the system, it helps to understand its role within the environment through accounting lense.

Hope this helps!