IT auditor

IT auditors perform audits of information systems, platforms, and operating procedures in accordance with established corporate standards for efficiency, accuracy and security. They evaluate ICT infrastructure in terms of risk to the organisation and establish controls to mitigate loss. They determine and recommend improvements in the current risk management controls and in the implementation of system changes or upgrades.

Excludes people performing managerial activities.

The following job titles also refer to IT auditor:

IT Quality Appraiser
ICT auditor
information technology auditor

Bachelor’s degree is generally required to work as IT auditor. However, this requirement may differ in some countries.

ISCO skill level is defined as a function of the complexity and range of tasks and duties to be performed in an occupation. It is measured on a scale from 1 to 4, with 1 the lowest level and 4 the highest, by considering:

• the nature of the work performed in an occupation in relation to the characteristic tasks and duties
• the level of formal education required for competent performance of the tasks and duties involved and
• the amount of informal on-the-job training and/or previous experience in a related occupation required for competent performance of these tasks and duties.

IT auditor is a Skill level 4 occupation.

These occupations, although different, require a lot of knowledge and skills similar to IT auditor.

ICT auditor manager
ICT security manager
ethical hacker
ICT resilience manager
digital forensics expert

These occupations require some skills and knowledge of IT auditor. They also require other skills and knowledge, but at a higher ISCO skill level, meaning these occupations are accessible from a position of IT auditor with a significant experience and/or extensive training.

This knowledge should be acquired through learning to fulfill the role of IT auditor.

Systems development life-cycle: The sequence of steps, such as planning, creating, testing and deploying and the models for the development and life-cycle management of a system.
Product life-cycle: The management of the life-cycle of a product from the development stages to the market entry and market removal.
Ict quality policy: The quality policy of the organisation and its objectives, the acceptable level of quality and the techniques to measure it, its legal aspects and the duties of specific departments to ensure quality.
Ict security standards: The standards regarding ICT security such as ISO and the techniques required to ensure compliance of the organisation with them.
Audit techniques: The techniques and methods that support a systematic and independent examination of data, policies, operations and performances using computer-assisted audit tools and techniques (CAATs) such as spreadsheets, databases, statistical analysis and business intelligence software.
Engineering processes: The systematic approach to the development and maintenance of engineering systems.
Ict security legislation: The set of legislative rules that safeguards information technology, ICT networks and computer systems and legal consequences which result from their misuse. Regulated measures include firewalls, intrusion detection, anti-virus software and encryption.
Organisational resilience: The strategies, methods and techniques that increase the organisation’s capacity to protect and sustain the services and operations that fulfil the organisational mission and create lasting values by effectively addressing the combined issues of security, preparedness, risk and disaster recovery.
Quality standards: The national and international requirements, specifications and guidelines to ensure that products, services and processes are of good quality and fit for purpose.
Legal requirements of ict products: The international regulations related to the development and use of ICT products.
Ict process quality models: The quality models for ICT services which address the maturity of the processes, the adoption of recommended practices and their definition and institutionalisation that allow the organisation to reliably and sustainably produce required outcomes. It includes models in a lot of ICT areas.

These skills are necessary for the role of IT auditor.

Prepare financial auditing reports: Compile information on audit findings of financial statements and financial management in order to prepare reports, point out improvement possibilities, and confirm governability.
Improve business processes: Optimise the series of operations of an organisation to achieve efficiency. Analyse and adapt existing business operations in order to set new objectives and meet new goals.
Analyse ict system: Study the activity and performance of information systems in order to model their usage and weaknesses, specify purpose, architecture and services and discover operations and procedures for accomplishing them most efficiently.
Execute ict audits: Organise and execute audits in order to evaluate ICT systems, compliance of components of systems, information processing systems and information security. Identify and collect potential critical issues and recommend solutions based on required standards and solutions.
Ensure adherence to organisational ict standards: Guarantee that the state of events is in accordance with the ICT rules and procedures described by an organisation for their products, services and solutions.
Perform quality audits: Execute regular, systematic and documented examinations of a quality system for verifying conformity with a standard based on objective evidence such as the implementation of processes, effectiveness in achieving quality goals and reduction and elimination of quality problems.
Develop audit plan: Define all organisational tasks (time, place and order) and develop a checklist concerning the topics to be audited.
Perform security vulnerability assessments: Execute types of security testing, such as network penetration testing, wireless testing, code reviews, wireless and/or firewall assessments in accordance with industry-accepted methods and protocols to identify and analyse potential vulnerabilities.

This knowledge is sometimes, but not always, required for the role of IT auditor. However, mastering this knowledge allows you to have more opportunities for career development.

Information security strategy: The plan defined by a company which sets the information security objectives and measures to mitigate risks, define control objectives, establish metrics and benchmarks while complying with legal, internal and contractual requirements.
Ict network security risks: The security risk factors, such as hardware and software components, devices, interfaces and policies in ICT networks, risk assessment techniques that can be applied to assess the severity and the consequences of security threats and contingency plans for each security risk factor.
Ict accessibility standards: The recommendations for making ICT content and applications more accessible to a wider range of people, mostly with disabilities, such as blindness and low vision, deafness and hearing loss and cognitive limitations. It includes standards such as Web Content Accessibility Guidelines (WCAG).
Cyber security: The methods that protect ICT systems, networks, computers, devices, services, digital information and people against illegal or unauthorised use.
World wide web consortium standards: The standards, technical specifications and guidelines developed by the international organisation World Wide Web Consortium (W3C) which allow the design and development of web applications.
Ict project management: The methodologies for the planning, implementation, review and follow-up of ICT projects, such as the development, integration, modification and sales of ICT products and services, as well as projects relating technological innovation in the field of ICT.
Cloud technologies: The technologies which enable access to hardware, software, data and services through remote servers and software networks irrespective of their location and architecture.

These skills and competences are sometimes, but not always, required for the role of IT auditor. However, mastering these skills and competences allows you to have more opportunities for career development.

Manage it security compliances: Guide application and fulfilment of relevant industry standards, best practices and legal requirements for information security.
Inform on safety standards: Inform managers and staff regarding workplace health and safety standards,,especially in the case of dangerous environments, such as in the construction or mining industry.
Develop documentation in accordance with legal requirements: Create professionally written content describing products, applications, components, functions or services in compliance with legal requirements and internal or external standards.
Develop ict workflow: Create repeatable patterns of ICT activity within an organisation which enhances the systematic transformations of products, informational processes and services through their production.
Monitor technology trends: Survey and investigate recent trends and developments in technology. Observe and anticipate their evolution, according to current or future market and business conditions.
Apply information security policies: Implement policies, methods and regulations for data and information security in order to respect confidentiality, integrity and availability principles.
Identify legal requirements: Conduct research for applicable legal and normative procedures and standards, analyse and derive legal requirements that apply to the organisation, its policies and products.
Define organisational standards: Write, implement and foster the internal standards of the company as part of the business plans for the operations and levels of performance that the company intends to achieve.
Communicate analytical insights: Obtain analytical insights and share them with relevant teams, in order to enable them to optimise supply chain (SC) operations and planning.
Identify ict security risks: Apply methods and techniques to identify potential security threats, security breaches and risk factors using ICT tools for surveying ICT systems, analysing risks, vulnerabilities and threats and evaluating contingency plans.

2511 – Systems analysts

 

 

---

 

 

References

1. IT auditor – ESCO