Download Understanding the Role of IT Auditors in Ensuring IT Security and Compliance and more Summaries Accounting in PDF only on Docsity!
1.1. IT Environment The need for improved control over IT, especially in commerce, has been advanced over the years in earlier and continuing studies by many national and international organizations. Essentially, technology has impacted various significant areas of the business environment, including the use and processing of information, the control process, and the auditing profession. Technology has improved the ability to capture, store, analyze, and process tremendous amounts of data and information, expanding the empowerment of the business decision maker. It has also become a primary enabler to production and service processes. There is a residual effect in that the increased use of technology has resulted in increased budgets, increased successes and failures, and better awareness of the need for control. Technology has significantly impacted the control process around systems. Although control objectives have generally remained constant, except for some that are technology specific, technology has altered the way in which systems should be controlled. Safeguarding assets, as a control objective, remains the same whether it is done manually or is automated. However, the manner by which the control objective is met is certainly impacted. Technology has impacted the auditing profession in terms of how audits are performed (information capture and analysis, control concerns) and the knowledge required to draw conclusions regarding operational or system effectiveness, efficiency, and reporting integrity. Initially, the impact was focused on dealing with a changed processing environment. As the need for auditors with specialized technology skills grew, so did the IT auditing profession. Technology is constantly evolving and finding ways to shape today’s IT environment in the organization. The following sections briefly describe various recent technologies that have and will certainly continue to revolutionize organizations, how business is done, and the dynamics of the workplace. Enterprise Resource Planning (ERP) According to the June 2016 edition of Apps Run the World, a technology market- research company devoted to the applications space, the worldwide market of ERP systems will reach $84.1 billion by 2020 versus $82.1 billion in 2015. ERP is software that provides standard business functionality in an integrated IT environment system (e.g., procurement, inventory, accounting, and human resources [HR]). Refer to Exhibit 1 for an illustration of the ERP modular system. Exhibit 1 Enterprise resource planning modular system
ERPs allow multiple functions to access a common database—reducing storage costs and increasing consistency and accuracy of data from a single source. Additionally, ERPs: Have standard methods in place for automating processes (i.e., information in the HR system can be used by payroll, help desk, and so on). Share real-time information from modules (finance, HR, etc.) residing in one common database, hence, financial statements, analyses, and reports are generated faster and more frequently. Some of the primary ERP suppliers today include SAP, FIS Global, Oracle, Fiserv, Intuit, Inc., Cerner Corporation, Microsoft, Ericsson, Infor, and McKesson. Despite the many advantages of ERPs, they are not much different than purchased or packaged systems and may therefore require extensive modifications to new or existing business processes. ERP modifications (i.e., software releases) require considerable programming to retrofit all of the organization-specific code. Because packaged systems are generic by nature, organizations may need to modify their business operations to match the vendor’s method of processing, for instance. Changes in business operations may not fit well into the organization’s culture or other processes and may also be costly due to training. Additionally, as ERPs are offered by a single vendor, risks associated with having a single supplier apply (e.g., depending on a single supplier for maintenance and support, specific hardware, or software requirements, etc.). Cloud Computing Cloud computing continues to have an increasing impact on the IT environment. According to ISACA (formerly known as the Information Systems Audit and Control Association), the cloud computing’s exponential growth should no longer be considered an emerging technology. Cloud computing has shaped business across the globe, with some organizations utilizing it to perform business critical processes. Based on the July 2015’s ISACA Innovation Insights report, cloud computing is considered one of the key trends driving business strategy. The International Data Corporation, in its 2015 publication, also predicts that cloud computing will grow at 19.4% annually over the next 5 years. Moreover, Deloitte’s 2016 Perspective’s Cloud Computing report (report) indicates that for private companies, cloud computing will continue to be a dominant factor. Cloud computing, as defined by PC Magazine, refers to the use of the Internet (versus one’s computer’s hard drive) to store and access data and programs. In a more formal way, the National Institute of Standards and Technology (NIST) defines cloud computing as a “model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” NIST also stress that availability is significantly promoted by this particular (cloud) model.
utilization and productivity, resulting in an enhanced decision-making process. The huge volumes of raw data or data sets (also referred to as Big Data) generated as a result of these massive interactions between devices and systems need to be processed and analyzed effectively in order to generate information that is meaningful and useful in the decision-making process. Big Data, as defined by the TechAmerica Foundation’s Federal Big Data Commission (2012), “describes large volumes of high velocity, complex and variable data that require advanced techniques and technologies to enable the capture, storage, distribution, management, and analysis of the information.” Gartner, Inc. further defines it as “… high-volume, high-velocity and/or high-variety information assets that demand cost-effective, innovative forms of information processing that enable enhanced insight, decision making, and process automation.” Even though accurate Big Data may lead to more confident decision-making process, and better decisions often result in greater operational efficiency, cost reduction, and reduced risk, many challenges currently exist and must be addressed. Challenges of Big Data include, for instance, analysis, capture, data curation, search, sharing, storage, transfer, visualization, querying, as well as updating. Ernst & Young, on its EY Center for Board Matters’ September 2015 publication, states that challenges for auditors include the limited access to audit relevant data, the scarcity of available and qualified personnel to process and analyze such particular data, and the timely integration of analytics into the audit. The IoT also delivers fast-moving data from sensors and devices around the world, and therefore results in similar challenges for many organizations when making sense of all that data. Other recent technologies listed on the Gartner’s 2015 Hype Cycle for Emerging Technologies Report that are currently impacting IT environments include wearables (e.g., smartwatches, etc.), autonomous vehicles, cryptocurrencies, consumer 3D printing, and speech-to-speech translation, among others. IT Environment as Part of the Organization Strategy In today’s environment, organizations must integrate their IT with business strategies to attain their overall objectives, get the most value out of their information, and capitalize on the technologies available to them. Where IT was formerly viewed as an enabler of an organization’s strategy, it is now regarded as an integral part of that strategy to attain profitability and service. At the same time, issues such as IT governance, international information infrastructure, security, and privacy and control of public and organization information have driven the need for self-review and self- assurance. For the IT manager, the words “audit” and “auditor” send chills up and down the spine. Yes, the auditor or the audit has been considered an evil that has to be dealt with by all managers. In the IT field, auditors in the past had to be trained or provided orientation in system concepts and operations to evaluate IT practices and applications. IT managers cringe at the auditor’s ability to evaluate the complexities and grasp the issues effectively and efficiently. Nowadays, IT auditors are expected to be well aware
of the organization’s IT infrastructure, policies, and operations before embarking in their reviews and examinations. More importantly, IT auditors must be capable of determining whether the IT controls in place by the organization ensure data protection and adequately align with the overall organization goals. Professional associations and organizations such as ISACA, the American Institute of Certified Public Accountants (AICPA), the Canadian Institute of Chartered Accountants (CICA), Institute of Internal Auditors (IIA), Association of Certified Fraud Examiners (ACFE), and others have issued guidance, instructions, and supported studies and research in audit areas. 1.2. What Is IT Auditing? What Is IT Auditing? Before defining what IT auditing is, let us explain the difference between IS and IT. An IS, represented by three components (i.e., people, process, and IT), is the combination of strategic, managerial, and operational activities involved in managing information. The IT component of an IS involves the hardware, software, communication, and other facilities necessary to manage (i.e., input, store, process, transmit, and output) such information. Refer to Exhibit 1.2. Exhibit 2 Information systems versus information technology The term audit, according to ISACA, refers to the formal inspection and verification to check whether a standard or set of guidelines is being followed, records are accurate, or efficiency and effectiveness targets are being met. In combining both definitions above, IT auditing can be defined as the formal, independent, and objective examination of an organization’s IT infrastructure to determine whether the activities (e.g., procedures, controls, etc.) involved in gathering, processing, storing, distributing,
Application Controls Audit. It examines processing controls specific to the application. Application controls may also be referred to as “automated controls.” They are concerned with the accuracy, completeness, validity, and authorization of the data captured, entered, processed, stored, transmitted, and reported. Examples of application controls include checking the mathematical accuracy of records, validating data input, and performing numerical sequence checks, among others. Application controls are likely to be effective when general controls are effective. Refer to Exhibit 1.3 for an illustration of general and application controls, and how they should be in place in order to mitigate risks and safeguard applications. Notice in the exhibit that the application system is constantly surrounded by risks. Risks are represented in the exhibit by explosion symbols. These risks could be in the form of unauthorized access, loss or theft or equipment and information, system shutdown, etc. The general controls, shown in the hexagon symbols, also surround the application and provide a “protective shield” against the risks. Lastly, there are the application or automated controls which reside inside the application and provide first-hand protection over the input, processing, and output of the information.
1.3. IT Auditing Trends Computing has become indispensable to the activities of organizations worldwide. The Control Objectives for Information and Related Technology (COBIT) Framework was created in 1995 by ISACA. COBIT, now on its fifth edition, emphasizes this point and substantiates the need to research, develop, publicize, and promote up- to-date, internationally accepted IT control objectives. In earlier documents such as the 1993 discussion paper “Minimum Skill Levels in Information Technology for Professional Accountants” and their 1992 final report “The Impact of Information Technology on the Accountancy Profession,” the International Federation of Accountants (IFAC) acknowledges the need for better university-level education to address growing IT control concerns and issues. Reports of information theft, computer fraud, information abuse, and other related control concerns are being heard more frequently around the world. Organizations are more information conscious, people are scattered due to decentralization, and computers are used more extensively in all areas of commerce. Owing to the rapid diffusion of computer technologies and the ease of information accessibility, knowledgeable and well-trained IT auditors are needed to ensure that more effective controls are put in place to maintain data integrity and manage access to information. The need for better controls over IT has been echoed in the past by prior studies such as the AICPA Committee of Sponsoring Organizations of the Treadway Commission (COSO); International Organization for Standardization (ISO) 17799 and 27000; the IIA Systems Auditability and Control Report; Guidelines for the Security of IS by the OECD; the U.S. President’s Council on Integrity and Efficiency in Computer Audit Training curriculum; and the United States’ National Strategy for Securing Cyberspace released in 2002; among others. The AICPA’s Assurance Services Executive Committee (ASEC) is responsible for updating and maintaining the Trust Services Principles and Criteria (TSPC) and creating a framework of principles and criteria to provide assurance on the integrity of information. TSPC presents criteria for use by practitioners when providing professional attestation or advisory services to assess controls relevant to the following principles: Security : The system is protected against unauthorized access (both physical and logical). Availability : The system is available for operation and use as committed or agreed. Processing integrity : System processing is complete, accurate, timely, and authorized. Confidentiality: Information designated as confidential is protected as committed or agreed. Privacy: Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles issued by the AICPA and CICA. The theory and methodologies of IT auditing are integrated from five areas: a fundamental understanding of business, traditional auditing, IT management, behavioral
advanced switching systems. has reduced the number of communications lines and further centralized the switching functions. Survey data indicates that the increased risk from these changes is not widely recognized. Since 9/11, more coordinated efforts have been made by U.S. defense organizations such as the Defense Information Systems Agency to promulgate standards for the Defense Information Infrastructure and the Global Information Grid, which should have a positive impact on information assurance that will extend beyond the U.S. Department of Defense and impact all segments of the national economy. The NSA has drafted and produced standards for IT security personnel that not only impact federal agencies but also corporate entities who contract IT services in support of the federal government. NIST, for example, has generated security guidance for Health Insurance Portability and Accountability Act compliance that impacts the medical profession and all corporations/business servicing the health field who handle medical information. A similar example includes the Payment Card Industry Data Security Standards (PCI DSS), maintained, managed, and promoted by the PCI Security Standards Council (Council) worldwide. The Council was founded in 2006 by major credit card companies, such as, American Express, Discover, JCB International, MasterCard, and Visa, Inc. These companies share equally in governance, execution, and compliance of the Council’s work. PCI DSS refer to technical and operational requirements applicable specifically to entities that store, process, or transmit cardholder data, with the intention of protecting such data in order to reduce credit card fraud. 1.4. Need for IT Audit Initially, IT auditing (formerly called electronic data processing [EDP], computer information systems [CIS], and IS auditing) evolved as an extension of traditional auditing. At that time, the need for an IT audit came from several directions: Auditors realized that computers had impacted their ability to perform the attestation function. Corporate and information processing management recognized that computers were key resources for competing in the business environment and similar to other valuable business resource within the organization, and therefore, the need for control and auditability were critical. Professional associations and organizations, and government entities recognized the need for IT control and auditability. The early components of IT auditing were drawn from several areas. First, traditional auditing contributes knowledge of internal control practices and the overall control philosophy. Another contributor was IS management, which provides methodologies necessary to achieve successful design and implementation of systems. The field of behavioral science provided such questions and analysis to when and why IS are likely to fail because of people problems. Finally, the field of computer science contributes knowledge about control concepts, discipline, theory, and the formal models that underlie hardware and software design as a basis for maintaining data validity, reliability, and integrity. IT auditing became an integral part of the audit function because it supports the auditor’s judgment on the quality of the information processed by computer systems.
Auditors with IT audit skills were viewed as the technological resource for the audit staff. The audit staff often looked to them for technical assistance. The IT auditor’s role evolved to provide assurance that adequate and appropriate controls are in place. Of course, the responsibility for ensuring that adequate internal controls are in place rests with management. The audit’s primary role, except in areas of management advisory services, is to provide a statement of assurance as to whether adequate and reliable internal controls are in place and are operating in an efficient and effective manner. Management’s role is to ensure and the auditors’ role is to assure. There are several types of needs within IT auditing, including organizational IT audits (management control over IT), technical IT audits (infrastructure, data centers, data communication), and application IT audits (business/financial/operational). There are also development/implementation IT audits (specification/requirements, design, development, and post-implementation phases), and compliance IT audits involving national or international standards. When auditing IT, the breadth and depth of knowledge required are extensive. For instance, auditing IT involves: Application of risk-oriented audit approaches Use of computer-assisted audit tools and techniques Application of standards (national or international) such as the ISO* to improve and implement quality systems in software development and meet IT security standards Understanding of business roles and expectations in the auditing of systems under development as well as the purchase of software packaging and project management Assessment of information security, confidentiality, privacy, and availability issues which can put the organization at risk Examination and verification of the organization’s compliance with any IT-related legal issues that may jeopardize or place the organization at risk Evaluation of complex systems development life cycles (SDLC) or new development techniques (i.e., prototyping, end-user computing, rapid systems, or application development) Reporting to management and performing a follow-up review to ensure actions taken at work The auditing of IT and communications protocols typically involves the Internet, intranet, extranet, electronic data interchange, client servers, local and wide area networks, data communications, telecommunications, wireless technology, integrated voice/data/video systems, and the software and hardware that support these processes and functions. Some of the top reasons to initiate an IT audit include the increased dependence on information by organizations, the rapidly changing technology with new risks associated with such technology, and the support needed for financial statement audits. SOX also requires the assessment of internal controls and makes it mandatory for SEC registrants. As part of the process for assessing the effectiveness of internal controls over financial reporting, management needs to consider controls related to the
1.5. Role of the IT Auditor The auditor evaluating today’s complex systems must have highly developed technical skills to understand the evolving methods of information processing. Contemporary systems carry risks such as non-compatible platforms, new methods to penetrate security through communication networks (e.g., the Internet), and the rapid decentralization of information processing with the resulting loss of centralized controls. As the use of IT in organizations continues to grow, auditing computerized systems must be accomplished without many of the guidelines established for the traditional auditing effort. In addition, new uses of IT introduce new risks, which in turn require new controls. IT auditors are in a unique position to evaluate the relevance of a particular system to the enterprise as a whole. Because of this, the IT auditor often plays a role in senior management decision making. The role of IT auditor can be examined through the process of IT governance and the existing standards of professional practice for this profession. As mentioned earlier, IT governance is an organizational involvement in the management and review of the use of IT in attaining the goals and objectives set by the organization. IT Auditor as Counselor In the past, users have abdicated responsibility for controlling computer systems, mostly because of the psychological barriers that surround the computer. As a result, there are few checks and balances, except for the IT auditor. IT auditors must take an active role in assisting organizations in developing policies, procedures, standards, and/or best practices on safeguarding of the information, auditability, control, testing, etc. A good information security policy, for instance, may include: Specifying required security features Defining “reasonable expectations” of privacy regarding such issues as monitoring people’s activities Defining access rights and privileges and protecting assets from losses, disclosures, or damages by specifying acceptable use guidelines for users Providing guidelines for external communications (networks) Defining responsibilities of all users Establishing trust through an effective password policy Specifying recovery procedures Requiring violations to be recorded Acknowledging that owners, custodians, and clients of information need to report irregularities and protect its use and dissemination Providing users with support information The SANS Institute provides general information security policy templates on its Website, which can be downloaded and be a great starting point for any organization. A good computer security policy will differ for each organization, corporation, or individual depending on security needs. An information security policy will not guarantee a system’s security or make the network completely safe from possible attacks from cyberspace. Nevertheless, a security policy, helped by effective security products and a
plan for recovery, may help targeting potential losses to levels considered “acceptable,” and minimize the leaking of private information. The IT auditor is part of an institutional team that helps create shared governance over the use, application, and assurance over IT within the organization. An IT audit staff in a large corporation can make a major contribution to computer system control by persuading user groups to insist on a policy of comprehensive testing for all new systems and all changes to existing systems. By reviewing base-case results, user groups can control the accuracy of new or changed systems by actually performing a complete control function. Auditors must convince users and IT personnel of the need for a controlled IT environment. Insisting that all new systems be reviewed at predefined checkpoints throughout the system’s development life cycle can also enhance control of IT. The prospect of audit review should prompt both user and systems groups to define their objectives and assumptions more carefully. Here, too, IT auditors can subtly extend their influence. IT Auditor as Partner of Senior Management Although the IT auditor’s roles of counselor and skilled technician are vital to successful company operation, they may be irrelevant if the auditor fails to view auditing in relation to the organization as a whole. A system that appears well controlled may be inconsistent with the operation of a business. Decisions concerning the need for a system traditionally belonged to management, but because of a combination of factors (mostly the complex technology of the computer), computer system audits were not successfully performed. When allocating funds for new systems, management has had to rely on the judgment of computer personnel. Although their choices of new and more effective computer systems cannot be faulted, computer personnel have often failed to meet the true business needs of the organization. Management needs the support of a skilled computer staff that understands the organization’s requirements, and IT auditors are in such a position to provide that information. They can provide management with an independent assessment of the effect of IT decisions on the business. In addition, the IT auditor can verify that all alternatives for a given project have been considered, all risks have been accurately assessed, the technical hardware and software solutions are correct, business needs will be satisfied, and costs are reasonable. IT Auditor as Investigator As a result of increased legislation and the use of computer evidence within the courts, the ability to capture and document computer-generated information related to criminal activity is critical for purposes of prosecution. The awareness and use of computer-assisted tools and techniques in performing forensic support work have provided new opportunities for the IT auditor, IT security personnel, and those within law enforcement and investigation. For the IT audit professional, computer forensics is an exciting, developing field. The IT auditor can work in the field of computer forensics or work side by side with a computer forensics specialist, supplying insight into a particular system or network. The specialists can ask the IT audit professionals questions pertaining to the system and get responses faster than having to do research and figure
especially the ones with business and computer majors, receive a degree of base-level training in (1) auditing concepts and practices; (2) management concepts and practices; (3) computer systems, telecommunications, operations, and software; (4) computer information processing techniques; and (5) understanding of business on local and international scales. These are some of the major core areas of competency identified by the various independent studies for the individual who enters the IT audit, control, and security field. Certification Certification is a vital component of a profession. As you prepare for entry into your profession, whether it is accounting, IS, or other business fields, certification will be the measure of your level of knowledge, skills, and abilities in the profession. For example, attainment of the CPA designation is an important career milestone for the practicing accountant. In IT auditing, the Certified Information Systems Auditor (CISA) is one of the main levels of recognition and attainment. There are certain requirements for candidates to become CISA certified, such as: Passing a rigorous written examination Evidencing a minimum of 5years of professional IS auditing, control or security work experience Adhering to the ISACA’s Code of Professional Ethics and the Information Systems Auditing Standards as adopted by ISACA Agreeing to comply with the CISA Continuing Education Policy The CISA examination covers areas (or domains) within the process of auditing IS; governance and management of IT; IS acquisition, development and implementation; IS operations, maintenance and service management; and the protection of information assets. Thus, university education plays an important part in providing the groundwork toward the certification process. Other licenses and certifications relevant to the IT auditor include the following: CPA, Certified Chartered Accountant (CA), Certified Internal Auditor (CIA), Certified Computer Professional (CCP), Certified Government Financial Manager (CGFM), Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified in Risk and Information Systems Control (CRISC), AICPA’s Certified Information Technology Professional (CITP), and Certified Fraud Examiner (CFE). Certification is important and a measure of skill attainment within the profession. Attainment of more than one certification will enhance your knowledge, skills, and abilities within the audit domain. Proficiency in skill application comes from experience and continuing education. The dynamic changes in business (commerce), IT, and world events continue to shape the future for this exciting profession. Continuing Education Certification requires continuing education so that those who are certified maintain a level of proficiency and continue their certification. Continuing education is an important
element for career growth. As graduates enter their profession, they will find that their academic education is the foundation for continued development of career-enhancing knowledge, skills, and abilities. A continuing education requirement exists to support the CISA program. The IT auditor of the future will constantly face change with regard to existing systems and the dynamics of the environment (i.e., reorganization, new technology, operational change, and changing requirements). The breadth and depth of knowledge required to audit IT is extensive. For example, IT auditing involves the application of risk-oriented audit approaches; the use of computer-assisted audit tools and techniques (e.g., EnCase, CaseWare, Idea, ACL, Guardant, eTrust, CA-Examine, etc.); the application of national or international standards (i.e., ISO 9000/3, ISO 17799, ISO 27000, and related amendments to improve and implement quality systems in software development); the auditing of systems under development involving complex SDLC or new development techniques (e.g., prototyping, end-user computing, rapid systems development, etc.); and the auditing of complex technologies involving electronic data interchange, client servers, local and wide area networks, data communications, telecommunications, and integrated voice/data/video systems. Because the organizational environment in which the IT auditor operates is a dynamic one, it is important that new developments in the profession be understood so that they may be appropriately applied. Thus, the continuing education requirement helps the CISA attain new knowledge and skills to provide the most informed professional opinion. Training courses and programs are offered by a wide variety of associations and organizations to assist in maintaining the necessary skills that they need to continue to improve and evolve. Methods for receiving such training may even be global with video teleconferencing and telecommuting and with the Internet playing a major role in training delivery. Professional Associations and Ethical Standards As a manager at any level, one must remember that auditors, whether internal or external, have standards of practice that they must follow. Like IT professionals, auditors may belong to one or more professional associations and have code of ethics and professional standards of practices and guidance that help them in performing their reviews and audits. If they are seen not performing their work to “standards of practice” for their profession, they know they could be open to a potential lawsuit or even “decertified.” Some of the organizations that produced such standards of practice are the AICPA, IIA, IFAC, CICA, GAO, and ISACA. ISACA, created in 1969, is the leading IT governance, assurance, as well as security and control professional association today. ISACA: provides knowledge and education on areas like IS assurance, information security, enterprise governance, IT risk management, and compliance. offers globally known certifications/designations, such as, CISA, CISM, Certified in the Governance of Enterprise IT (CGEIT), and Certified in Risk and CRISC. develops and frequently updates international IS auditing and control standards, such as, the COBIT standard. COBIT assist both, IT auditors and IT management, in performing their daily duties and responsibilities in the
specialization (e.g., forensics, security, etc.) will be transferred to such specialty for further training and career development. Many who have taken this career path have been successful, and several have become partners, principals, or directors within the firm. The primary sources for most public accounting firms are college recruitment and development within. However, it is not uncommon for a firm to hire from outside for specialized expertise (e.g., computer forensics, telecommunication, database systems, etc.). Private Industry Like public accounting firms, private industry offers entry-level IT audit professional positions. In addition, IT auditors gain expertise in more specialized areas (i.e., telecommunications, systems software, and systems design), which can make them candidates for IT operations, IT forensics, and IT security positions. Many CEOs view audit experience as a management training function. The IT auditor has particular strengths of educational background, practical experience with corporate IS, and understanding of executive decision making. Some companies have made a distinction between IT auditors and operational and financial auditors. Others require all internal auditors to be capable of auditing IT systems. Sources for persons to staff the IT audit function within a company generally may come from college recruitment, internal transfers, promotions, and/or outside hiring. Management Consulting Firms Another area of opportunity for IT audit personnel is management consulting. This career area is usually available to IT auditors with a number of years’ experience. Many management consulting practices, especially those that provide services in the computer IS environment, hire experienced IT auditors. This career path allows these candidates to use their particular knowledge, skills, and abilities in diagnosing an array of computer and management information issues and then assist the organization in implementing the solutions. The usual resources for such positions are experienced personnel from public accounting CPA firms, private industries, and the government. IT forensics is another growing area in management consulting services. Government The government offers another avenue for one to gain IT audit experience. In the United States, federal, state, county, and city governments employ personnel to conduct IT audit-related responsibilities. Federal organizations such as the NSA, FBI, Department of Justice, and the CIA employ personnel who have IT audit experience, computer security experience, and IT forensics experience. Governments worldwide also employ personnel to conduct IT audits. Government positions offer training and experience to personnel responsible for performing IT audit functions. Sources for government IT auditors are college recruits and employees seeking internal promotion or transfer. There are occasions when experienced resources may be hired from the outside as well.
