Shining a Stronger Spotlight on the Information Systems Audit Profession

Veronica Rose
Author: Veronica N. Rose, CISA, CDPSE - Board Director at ISACA Foundation and Digital Trust Professional
Date Published: 15 December 2021

Way back while I was in university, despite the fact that I was pursuing a bachelor’s degree in computer science, I never heard any faculty mention a profession in IS/IT audit. To date, when I mention my profession to some, they ask what in the world it is that I do.

When I later graduated with a master’s of science in information systems, I became curious to know whether there was a way I could certify my degrees the way professionals in finance become chartered accountants after pursuing the CPA credential. I wished to become certified in information systems so I surfed the internet to find out whether there was something like being a certified information systems professional—and that’s how I landed on the ISACA website. Searching further, I saw the Certified Information Systems Auditor (CISA) certification that one could pursue for a career in audit. That sounded interesting, and I became CISA-certified.

A few months ago, I was presenting a webinar on the topic “Auditing of Data Privacy” and posted a question in the chat asking attendees to mention what comes to their mind when they hear the word “auditor/audit.” Some of the answers were as follows: “police, fault finders, buzz killers, people whose work is to keep us on tiptoes, enemies of progress,” and one of them responded “I love being audited.” I read the responses and giggled, realizing that many process owners see audit as a hindrance to efficiency.

In September, I was invited to speak at a foundation on a “A day in the life of an information systems auditor” to highlight what exactly IS auditors do. I shared a number of insights on what the audit profession entails, and I asked the audience to mention one word that comes to their mind when they hear the word “audit.” The answers were amazing. My hope is that such conversations are extended to higher institutions of learning, organizations, and ISACA chapters to proactively create awareness about the IS/IT audit profession through boot camps.

Considering both encounters, a question occurred to me – why do people outside the audit profession perceive the internal audit function this way? From their point of view, it is not easy to define audit, especially if they recently received a report with a lot more “reds” than “greens.” I came to the realization that auditing is about fact-finding, not fault-finding.

Traditionally, the audit profession has been demonized as the profession where people are determined to put other people’s jobs at stake: more fault-finding instead of fact-finding. Perhaps that’s why the so many people never develop interest, or even awareness, in audit at the start of their careers. I also remember one time calling one of my colleagues from a different firm requesting a meet-up that week. The response was, “This week is very tough for me.” I asked why, and she responded, “We have auditors on ground who are stressing me out.” Yes, the perception was that bad. I bring this up because many, perhaps most, auditors are being tagged “stressors, police, reporters, evil class monitors.” This makes my heart sink.

The good news is that the current wave of auditors, and CISAs in particular, are different. We are conversant with the professional code of standards, credible and subjected to continuous learning education that keeps us abreast with the current trends in the profession.

Recognizing the need for audit professionals
Typically, smaller organizations of around 400 people or less can only afford hiring one IS auditor to perform all audits across business units. Other organizations don’t even have IS auditors in their organizations; they only engage financial external auditors as required by regulations. Why is this so?

This is where we need to join hands as audit professionals to change the status quo.

One of the things I cherish is when people reach out to me seeking mentorship on audit topics or guidance on how to prepare for the CISA exam. I must say, so many who reach out are at their mid-level career, and they regularly confess they never knew about the profession earlier in their careers.

So, what should we do?
The future of IS auditors is brighter than we could have thought because as technology evolves, we still need expertise on who will give assurance and advisory services on the effectiveness of controls in mitigating risks. Yet the number of IS auditors is still low considering the opportunities that await them. It is time to shift the mindset from a workforce shortage in IS audit to a development shortage.

IS audit is an extraordinary career option and, as IS/IT audit professionals, we can embark on mentoring, training, coaching and sponsoring up-and-coming IS auditors, and encourage them to join professional communities like ISACA to set them up for a successful career in the audit profession. We can also advise HR professionals on the value auditors add to their organizations.

And let us keep sharing our experiences in the industry. For example, some of the key competencies that have helped me to excel in my IS audit career, along with my ISACA membership, are being very organized, observant, meeting deadlines, researching, being detail-oriented, courteous, developing a big-picture view of the organization and its business strategy, and being empathetic and devoted to continuous learning.

This is the time right time to fix the perception of the IS audit profession and shine the light on IS/IT auditors. And in a world full of auditors, be a CISA.