Top qualities for a good IT auditor

Training and experience are well and good, but the truth is some people are just not cut out for professional audit and security roles. Others take years to realise that it’s the prefect fit for their them. Here looks at the top personality traits that help or hinder, and asks what auditors can do to address them.

  1. An enquiring and observant mind.
    If you’re someone who asks ‘why’ to everything, you have great potential. The key to good audit is not to take a checklist and tick it off, but to understand the environment in which the entity operates and ask enquiring questions, such as ‘what would happen if…’ or ‘why didn’t they…’  That means asking questions about people as well as technology. If on the other hand an auditor never asks the key questions – how, why, who, when, what’s the risk (and where’s the evidence!), they will find only what management gives them to find. That’s not much use to anyone.
  2. Attention to detail.
    It’s all well and good to understand the big picture, but you also need to be able to grind through the intricacies of firewall configurations or project technical specifications. It’s not always interesting, but you can’t afford to neglect the smallest detail until you understand it, and you’re happy there’s no risk exposure arising from it.
  3. Business acumen.
    ‘You must be joking!’ I hear you say. ‘Auditors don’t understand business, they try to stop it!’. Not true. Firstly, you need to have a real feel for the business in order to assess risks accurately and consider controls in the context of the environment in which they exist. Secondly, you need to be able to talk the same language.
  4. Confidence.
    You only as good as your client thinks you are. If you don’t look, talk, and act like you know what you’re doing, you don’t know what you’re doing. Whether you’re interviewing operational staff or negotiating with your client’s Chief Executive, you need to have confidence – in your team, in your work, but mostly in yourself.
  5. Optimism.
    Surprised? Don’t be. Do be a cynic, absolutely be sceptical, always be someone who says trust comes easily when you don’t need to rely on it, and with difficulty when you do. Just don’t be a pessimist, please. It does no good to go in assuming nothing will work, assuming controls will not be implemented, waiting for the worst and finding it everywhere. Be someone who looks objectively with an open mind – and comes up with a  positive, optimistic solution that gives the client a push forward, not a push over the edge. Plus, who would you rather work with or have working for you – the auditor who says it’s going to rain – or the auditor who hopes for sun, but brings an umbrella just in case?
  6. An interest in technology, as well as people.
    The five points above fit just as well for all assurance roles. An active interest in IT is the differentiator. If you just think financial or operational audit is boring, think IT audit is better paid, or have romantic dreams about ‘hackers’ and Angelina Jolie, forget it today and try something easier, like operational management or grounds maintenance (depending what takes your fancy). IT assurance or security roles unless you’re actually interested in things with plugs that go ‘beep’.You don’t need to have been a teenage hacker, think online gaming is more fun that a trip to the pub, or count sheep in binary when you’re trying to go to sleep (admittedly I’ve had a passable go at all three, but then I’m geek enough to write this stuff  in my spare time). However if you’ve come this far and only gained a basic understanding of Microsoft Office, all the training in the world won’t make you interested enough. If on the other hand you can only converse with another human being in machine code and think B.O. is something that only affects people who are daft enough to wash, maybe it’s time to take more of an interest in the people side?

This list is of course inherently subjective, and if you don’t have these qualities you may well have others that are worth just as much. Qualities you don’t have in abundance can always be worked on and improved. However, if you’re a disinterested, unfocused pessimist with a low sense of self worth, audit might not be the career for you!


One Response to “Top qualities for a good IT auditor”

  1. Fraser
    May 1, 2012 at 8:52 pm #

    The brass neck (as we say in glasgow) of the above author of the introduction of this info has certainly put my mind at ease as to what avenue I may pursue, ground mainteance or audting and I think I may go with the latter.

    Thanks for the candid and I will read on….


Leave a Reply

Leave your opinion here. Please be nice. Your Email address will be kept private.