2020/10/12 Seven Tips for New IT Auditors

 Home / Resources / News and Trends / ISACA Now Blog / 2017 /

Seven Tips for New IT Auditors

ISACA NOW BLOG

Seven Tips for New IT

Auditors
Author: Adam Kohnke, CISA, CISSP, eJPT
Date Published: 18 September 2017

Transitioning into an IT audit or assurance role can be daunting,

overwhelming and outright scary at first. Like for many roles these days,
individual performance expectations are high, your engagement results
are heavily scrutinized by the client and senior management constantly
expects a high level of value to be provided through your efforts. This
blog post mainly focuses on overcoming some of these challenges for
individuals new to the IT audit or assurance profession, but it may be
useful for others as well. Here’s what I’ve learned over the past two years;
hopefully it serves you well.

1. Stick to the objectives. It can be easy at times during an

audit/assurance engagement to start drifting off into additional areas of
risk or concern that is not part of your current engagement. Avoid making
https://www.isaca.org/resources/news-and-trends/isaca-now-blog/2017/seven-tips-for-new-it-auditors 1/7
2020/10/12 Seven Tips for New IT Auditors

unilateral decisions that introduces the potential for significant increases

in workload or risk achieving the objectives of your current engagement.
Your manager should be the first person you talk to when an interview
with an auditee or the testing of evidence uncovers additional potential
risk not originally in scope of the engagement. Write down your concerns,
the potential risk in some quantifiable or objective statement, and present
your case to your management. Their support and guidance can take you
further than what you could hope to achieve alone, and may allow for
future engagements or discussions to be scheduled to address these
potential risks. You set out to initially gain specific assurances on a
particular area under review, right? Focus on doing just that.

2. Keep it simple. While IT auditors/assurance professionals typically

focus on the inner workings and configuration of complex technology, the
final result of your work is typically a report that is digested by a
community or group that is non–technical in nature, such as an audit
committee, your manager or senior management.  Creating complex
technical testing plans, working papers and developing reports containing
overly technical content that only you can understand doesn’t produce a
net positive benefit for you, and can actually be detrimental to your
career. Ensure your work papers define the name and title of the
individual you received it from, the date it was received, a short and
specific purpose or reason as to why you are reviewing the evidence, and
the key attributes supporting the purpose and the conclusion of your
review. Practice report writing early and often, and accept feedback from
management on methods to simplify reports and other communications
you produce.

3. Utilize repeatable testing frameworks. It is ideal to spend less time

and effort building out a custom audit/ assurance program from scratch
each time you have an engagement. While every audit/ assurance
organization operates differently and has different ways of completing
and documenting their engagements, each organization typically pursues
similar information. Tools like Excel offer a mechanism for engagements
to be conducted in a uniform manner regardless of the focus area or
engagement by use of its inherent table and cell structure. Excel tabs can
https://www.isaca.org/resources/news-and-trends/isaca-now-blog/2017/seven-tips-for-new-it-auditors 2/7
2020/10/12 Seven Tips for New IT Auditors

be used to define the particular technology your testing is focusing on,

such as Exchange, Active Directory, NetApp, etc. Columns can be used to
define the repeating areas you define for every engagement, such as the
perceived risks, identified controls, test methods, testing attributes, and
results of your testing (i.e. effective or not effective). Rows can be used
to provide focus for the items you have defined in the columns and allow
the results of testing to be easily reviewed by others.

4. Network, network, network. Your ability to influence and maintain

positive working relationships with various internal departments and
senior management can be a major deciding factor between a smooth
and stress-free engagement versus one where you wish you never
accepted the role. It’s easy for auditors/assurance professionals to be
viewed in an adversarial light due to the nature of the work they perform.
Networking with past or future engagement clients provides an
opportunity for you to be perceived as something other than that person
who just stressed them out in an engagement. It may seem scary or
uncomfortable at first, but email can be your friend here, such as
randomly selecting a group of people you want to know more, Bcc’ing
them and crafting a simple “I’d be interested in networking with you and
knowing more about your interests or who you are as a person.” Another
approach is sending direct emails to particular individuals or individuals
you have an interest in on the same team. I’ve used this approach
effectively to network with my CEO, chief security officer, project
managers, and even my own team members. Networking is one of your
most effective career tools, so use it!

5. Be humble. Your ability to grow and the speed in which you advance as
an IT audit/assurance professional is dependent on your ability to
consider and integrate constructive feedback provided by others. In my
experience, it can be incredibly difficult and psychologically challenging
for human beings to accept criticism because it may be subconsciously
perceived as a social or personal attack, even when it isn’t. While all
feedback is not useful and constructive, it’s key to identify, accept and
improve on your strengths and weaknesses when communicated to you
in feedback from others. A general positive attitude, open mind and a
https://www.isaca.org/resources/news-and-trends/isaca-now-blog/2017/seven-tips-for-new-it-auditors 3/7
2020/10/12 Seven Tips for New IT Auditors

belief that people are attempting to help you get better will serve you well
in the long run of your career. 

6. Research early and often. A convenient aspect of the IT

audit/assurance profession is that you’re more than likely not the first
organization or individual to have audited or gained assurance on your
targeted subject area.  A simple practice is performing Google searches
for related publications, white papers, and audit programs that will help
narrow risks and testing objectives for which your engagement should
focus. If you are auditing Active Directory, TechNet is a major helpful
resource. If you’re auditing Oracle databases, there are security guides
provided by Oracle helping you determine the database views and
parameter files you may want to focus on. Audit/Assurance program
services such as Knowledge Leader, the IIA and ISACA also provide a
wealth of information that you can use to research related risks and
focus areas for your engagement. 

7. Do not assess risk in a vacuum. You should consider involving, if not
outright integrating business area management and stakeholders into
your risk assessment process for each engagement. Some organizations
perform an organization-wide risk assessment to scope their annual
engagement plan, and this is where stakeholder involvement can end in
identifying risk. Considering what the business areas perceive as risky
provides at least two immediate benefits to you and the success of your
engagement. It will serve to validate whether your assessment of risk
was aligned with the client, and the client also can see the value you are
providing in addressing concerns regarding relevant risks. Clients should
not be allowed to influence final direction of the engagement, but their
inputs are invaluable to delivering a final quality work product.

Previous Article Next Article

https://www.isaca.org/resources/news-and-trends/isaca-now-blog/2017/seven-tips-for-new-it-auditors 4/7
2020/10/12 Seven Tips for New IT Auditors

ISACA NOW BY YEAR

2020

2019

2018

2017

2016

QUICK LINKS

Resources

COBIT ISACA Journal Press Releases Resources FAQs

Insights and Expertise 

Audit Programs and Tools
bli i
https://www.isaca.org/resources/news-and-trends/isaca-now-blog/2017/seven-tips-for-new-it-auditors 5/7
2020/10/12 Seven Tips for New IT Auditors

Publications
White Papers
Engage Online Community

News & Trends 

@ ISACA
Industry News
ISACA Now Blog
ISACA Podcasts

Frameworks Standards and Models 

IT Risk
Glossary

    

Navigating COVID-19 | Website Feedback | Contact Us | Terms | Privacy

| Fraud Reporting | California Privacy Policy
| ©2020 ISACA. All rights reserved.

https://www.isaca.org/resources/news-and-trends/isaca-now-blog/2017/seven-tips-for-new-it-auditors 6/7
2020/10/12 Seven Tips for New IT Auditors

https://www.isaca.org/resources/news-and-trends/isaca-now-blog/2017/seven-tips-for-new-it-auditors 7/7