IT Audit is ‘Boring’? Time to Fix the Perception Problem

Caitlin McGaw
Author: Caitlin McGaw, Career Strategist and Job Search Coach, Caitlin McGaw Coaching
Date Published: 4 March 2021

Updated: 12 May 2023

I was recently on a social media site where professionals join a career topic discussion group and ask questions. My parting pitch: Let’s make IT audit a talent magnet for worldly, tech-savvy Gen Z.

There it is. IT audit is boring. This perception problem has been helping to drive college grads and younger professionals away from the field. It’s no wonder that there is a severe shortage of talent, leaving IT audit leaders frustrated by lengthy hiring campaigns.

Like any job, there are elements of IT audit that are routine, but there is so much that is novel, challenging, a learning opportunity – especially in today’s risk-based IT audit functions.

Where does the idea that IT audit is boring come from? SOX and IT general controls (ITGC) work. When recruiting for IT audit roles – even for cool companies – professionals with 1-3 years of experience, especially those coming from IT risk advisory-type service lines in public accounting, will say that they don’t want to do IT audit. They’ve done it and they are through with it. “I want to be in the second LOD or in cybersecurity.”

When you try to provide a wider view of what IT audit is, they will often tell you, “No, IT audit is ITGC work.” They say that because that is typically all they have been exposed to. Routine SOX and ITGC work is pretty rote and checklist-y, so it’s easy to understand why they are over it and want to move on to something more exciting, like cyber, or more controls design-oriented, like an internal controls role, which they view as having more impact.

It also doesn’t help that there is a quite a bit of chatter in public accounting about internal IT audit being a dead-end career or that internal IT audit teams are typically dysfunctional and not respected. Given that public accounting and consulting still hires and trains a large number of fresh college graduates in the basics of IT audit, and puts a nice polish on their presentation skills, this is still one of the largest recruiting pools, and one that most companies want to tap for their IT audit hires.

So, how can we provide a better view of what internal IT audit is all about BEFORE younger people leave college? How can the profession mitigate the perception problem?

IT audit is still flying under the radar

The big accounting schools and computer science programs see their graduates going into a wide array of roles. IT audit gets only a few. College grads are heading in droves to cyber roles in industry, public accounting and consulting.

Why? Because students don’t hear about how interesting, how career-enhancing, how impactful IT audit is – or, that it pays well and can be a career unto itself or a springboard for other career roles in cybersecurity, risk, governance and privacy, as well as other fields that can capitalize on the blend of business knowledge, analytical and communication skills that IT audit training provides.

There are still not enough university programs with courses in IT audit or an IT audit specialization – especially at the undergraduate level. But beyond that, and this is critical, accounting and MIS/CS professors need to hear and learn from IT audit practitioners so they can bring those real-world stories about IT audit into their lectures. Professors are amazing knowledge evangelists. Students listen to them. Getting IT auditors into the classroom as guest lecturers or providing material to receptive professors would go a long way to building greater awareness of the field.

How do we fix this?

As I see it, the fix requires three main pillars: ISACA, internal audit functions and practitioners. ISACA has been building out student participation and outreach for years. The chapter level gets right to the heart of the image enhancement effort. If chapters embrace their educational outreach with cool speakers and programs that will stimulate interest at the college or even high school level, miracles can happen. Local talent shortages can be dramatically improved.

Internal IT audit teams can build story decks and presentations about their good work and take that to career days at high schools and colleges. Students are desperate for information about careers. IT audit needs to surface as a discipline of choice. It’s rewarding, teaches transferrable skills, is well-paid, and is generally fairly immune to economic volatility. What’s not for students – and their parents – to love?

Finally, supporting these efforts are IT audit professionals with their stories about their projects and career development. You are the absolute key to IT audit being able to attract more great people.

Learning how to tell a vivid story about your work to someone outside your team is a critical skill set for all practitioners who want to be successful in IT audit and beyond. These skills are easy to learn. The best managers and audit functions put a high premium on this kind of brand-building. There’s a terrific synergy between getting out into a college setting and evangelizing IT audit, and being able to influence critical business stakeholders and boosting the reputation of your IT audit function.

My parting pitch: Let’s make 2021 the year when IT audit becomes a talent magnet for worldly, tech-savvy Gen Z. It’s time to show them and the world that IT audit Is anything but boring!

Editor’s note: If you are interested in beginning or looking for next steps in your IT audit career journey, learn about ISACA’s IT Audit Fundamentals Certificate to build and validate the necessary foundational knowledge.”