Key Characteristics of an Effective Information Systems Auditor


IT Geeks don’t always make for good auditors…

I like most my time spent blogging on R3S to focus on Information Technology and Security. As an Information Systems auditor, my IT/IS knowledge definitely makes me stand out against many of my peers in public accounting. With that being said, today I’d like to shift gears a bit and explore what I think it is that makes me effective in my career.

Being IT/IS savvy isn’t what makes me a good auditor. In fact, once I started my career in Information Systems audit not too long ago, my boss urged me to go sign up more of my friends! I went looking, eager to cash in on some referral bonuses only to discover that your typical IT minded individual does not tend to make a very good auditor.

So what does make for a top notch Information Systems auditor? Or, to make this more relevant to our audience- what key characteristics should you look for in the next individual you  may consider hiring to either work for you or perform an IT/IS audit for your organization?

Key CharacteristicExplanation
CuriosityA good auditor is a polymath and lifelong learner. Consider all the areas of expertise an information systems auditor is required to touch upon. This individual will be expected to be familiar not only with Information Systems but also SDLC processes, Accounting Principles, Legal and Regulatory Matters, Human Resources management and more.
FlexibilityThe Information Systems auditor may be expected to show up at the office of a CTO one day in suit and tie, and don a hardhat and steel toe boots on the factory floor the next. Hours and location of work shifts from client to client. A good consultant/auditor should never expect show up to the same desk and office day after day.
Strategic ThinkerA strong Information Systems auditor should be adaptive. Technology changes quickly, legal and regulatory matters effect internal controls and ever evolving economic conditions impact the operations of all competitive organizations. A strong auditor recognizes these external forces and considers them during internal risk assessment.
ObservantAuditors must be keen on paying attention to details and identifying patterns, whether that be observing the same hash repeatedly while reviewing a dozen different router configuration files, or just being an amazing proof reader of reports.
Personable/AgreeableA strong consultant/auditor should be effective at building relationships. They should be flexible, strategic, and observant enough to read the temperament of their client and adapt to them, in order to foster a productive professional relationship.

Have any key characteristics of your own to share? Let’s here them!

4 thoughts on “Key Characteristics of an Effective Information Systems Auditor

  • Good communication – both written and oral.

    It is the number one skill I’m looking for when hiring any auditor – IT or otherwise. Can I sit you down in front of the VP of Human Resources or a DBA to conduct a meeting/interview/testing? And are you going to be able to capture the results of that interaction clearly and concisely in a workpaper? Sure every business has their own style and culture around communication. Those things I can coach.

    I’ve had a number of IT professionals approach me about getting into IT auditing. Once I tell them the bulk of the work is meeting with folks and documentation they tend to run away. IT folks generally loathe meetings and documentation.

    I would also add having a balanced perspective to the list. We like to think of audit as a black and white world. You’re either compliant or you’re not. While that is, not all issues are the same or represent the same risk to the organization. A good auditor can recognize that and effectively communicate (see above) it to the client.

  • Great post, Shane. Good comments, Steve.

    I’d add creative and persistent. A good auditor won’t give up after 1 or 2 tries. He presses on and tries new things. And when he ‘smells’ something burning, he works hard at finding it.

    Also, a good IT auditor needs to be able to learn new technology fast and understand how A relates to D or could relate if X happened. Some problems aren’t real bad on their own, but if you know how to line them up properly, you have a real serious exposure.

    At the same time, a good IT auditor knows when to widen the scope of an audit and when to stop digging. He constantly asks SO WHAT, and when the answer is IT DOESN”T REALLY MATTER, he stops.

  • I stopped by to read this again…and had some additional thoughts/questions.

    Why do you think that “typical IT minded individual does not tend to make a very good auditor”? Pray tell.

    Also, one of the things I rant about the most is that many of the IT auditors I know DON’T understand enough about IT/IS. I don’t disagree with the traits you listed; audtitors need them, but if they have all the traits above but don’t understand IT, while they’d still be better than many IT auditors, they won’t be GREAT.

    Another trait I’d recommend is thorough. Too many auditors and IT auditors just want to get by. Grief!

  • Mac,
    A year later after posting this, I think now I’d say that you find very few people who are both decent auditors but also IT savvy enough to properly do the job.

    I think that Network Security guys are actually more times than not the best ones for the job technically- they just don’t want to be auditors because auditors don’t actually get to build or configure anything.

    IT Systems Engineers may very well have the technical chops, but the mindset of an IT systems engineer is to make a solution work. Security is usually counter productive to just making stuff work and getting the job done. therefore they see controls and security as a massive headache.

    Then there is the process/accounting auditor turned IT auditor. These people usually struggle more times than not in this field (in my experience). I suppose this is mostly due to these individuals not being interested in IT outside of work. They aren’t the people going home and tinkering on their own, reading about technology, listening to podcasts about it- because you want to, not just because you should or have to.


Leave a Reply