Roadmap

IT Auditor

The professional who independently verifies that IT controls are designed correctly and operating effectively. Tests whether what the organization says it does matches what it actually does, and reports findings to management, the board, and external stakeholders.

OPTIMISTIC 18-24 monthsREALISTIC 2-3 years

Stage 00

Computer & IT Fundamentals

IT auditors assess technology systems. Technical credibility with the IT teams you audit requires genuine understanding of what you are testing.

Computer Hardware & Systems

Server hardware — rack servers, blade servers, virtual machines; the physical foundation of IT controls
Storage systems — SAN, NAS, backup systems; data protection and availability controls
Network hardware — switches, routers, firewalls; network security control context
Physical security — data center access controls, environmental controls (temperature, fire suppression)

Number Systems

Binary, hex — useful for reading technical audit evidence

Operating Systems

Windows Server — Active Directory, Group Policy, event logs; the most common audit target
Linux/Unix — common on servers, database systems; audit evidence locations
User accounts, groups, permissions — the foundation of access control auditing
System logging — event logs, syslog; audit trail evidence

Networking Basics

Network architecture — DMZ, internal network, internet-facing systems
Firewalls and network segmentation — key access control mechanisms
Remote access — VPN, jump servers, bastion hosts; privileged access audit context
DNS, DHCP — infrastructure services and their audit relevance
Cloud networking — VPC, security groups; increasingly part of IT audit scope

Database Fundamentals

Relational databases — MySQL, SQL Server, Oracle, PostgreSQL; structure and access control
Database users and roles — DBA access, application service accounts, privileged access
Database audit logging — query logging, connection logging, privilege use logging
Stored procedures — automated processes requiring access control testing
SQL basics — SELECT statements for audit data analysis

Application Architecture

Web application architecture — web tier, application tier, database tier
Application access controls — authentication, authorization, session management
SDLC — development, testing, staging, production environments; change management relevance
APIs — interface between systems, access control implications

Cloud Fundamentals

IaaS, PaaS, SaaS — shared responsibility model implications for audit scope
Cloud IAM — roles, policies, service accounts; cloud access control audit
Cloud logging — CloudTrail, Azure Activity Log, GCP Audit Logs; cloud audit evidence
Virtual machines, containers, serverless — modern compute audit surface

Resources

Professor Messer CompTIA A+ (free YouTube)
AWS Cloud Practitioner Essentials (free)
TryHackMe Pre-Security path (free)

Stage 01

Accounting & Internal Audit Fundamentals

IT audit lives inside the audit function. Understanding accounting, internal controls, and audit methodology is the professional foundation.

Financial Accounting Basics

Financial statements — income statement, balance sheet, cash flow statement
Accrual vs cash accounting — timing of revenue and expense recognition
Internal controls over financial reporting (ICFR) — why SOX Section 404 exists
Journal entries — how financial transactions are recorded, IT systems that generate them
Reconciliation — matching IT system records to accounting records
Segregation of duties in accounting — why no single person should initiate, approve, and record a transaction

Internal Audit Fundamentals

IIA Standards — Attribute Standards (independence, objectivity, proficiency, due professional care) + Performance Standards (engagement planning, performing, communicating, monitoring)
Three Lines of Defense — first line management/business units, second line risk and compliance, third line internal audit
Audit independence — organizational independence from the activities audited
Audit charter — the document authorizing the audit function and defining its scope
Internal vs external audit — internal audit serves management and the board; external audit serves shareholders
Risk-based audit planning — prioritizing audits based on risk assessment
Audit universe — the complete list of auditable entities and processes
Audit committee — the board committee overseeing internal audit

COSO Framework

COSO Internal Control — Integrated Framework: five components (Control Environment, Risk Assessment, Control Activities, Information & Communication, Monitoring); seventeen principles; primary framework for SOX ICFR evaluation
COSO ERM (Enterprise Risk Management) — expanded to include strategy and performance

Audit Methodology

Audit planning — engagement letter (scope, objectives, timing, team), risk assessment, audit program, preliminary survey
Walkthrough — understanding the process by talking to control owners and observing
Control testing — testing design and operating effectiveness
Sampling — statistical and non-statistical (judgmental) approaches
CAATs (Computer-Assisted Audit Techniques) — data analysis using Excel, SQL, IDEA, ACL
Audit reporting — observations, ratings (high/medium/low), root cause analysis, management response, follow-up
Audit documentation (workpapers) — evidence of procedures performed, results, conclusions, cross-referencing

Resources

IIA Standards (theiia.org, member download free)
COSO website (coso.org, free summaries)
ISACA CISA Review Manual (paid, essential for CISA study)

Stage 02

Security Fundamentals

IT auditors assess security controls. Understanding what effective security looks like enables meaningful testing.

Core Security Controls

CIA Triad — every IT control maps to Confidentiality, Integrity, or Availability
Authentication and access controls — MFA, password policies, privileged access; the most common audit focus
Encryption — at rest and in transit; key management, implementation testing
Vulnerability management — patch cycles, scanning, remediation tracking
Incident response — response plans, testing, notification procedures
Network security — firewalls, segmentation, IDS/IPS; network access controls
Security monitoring — SIEM, log management, alerting; detective controls
Physical security — data center access, visitor logs, environmental controls
OWASP Top 10 — web application vulnerabilities relevant to application control testing
Malware and threats — ransomware, phishing, insider threat; risk context for control design evaluation

Certification

CompTIA Security+ — provides security baseline needed to understand what controls you are auditing

Resources

Professor Messer Security+ SY0-701 (free YouTube)

Stage 03

IT Governance Frameworks

IT audit is governed by frameworks that define what to test, how to test it, and how to report findings.

COBIT (Control Objectives for Information and Related Technologies)

COBIT 2019 — current version, framework for IT governance and management
COBIT structure — Governance Objectives (EDM domain board-level), Management Objectives (APO 14, BAI 10, DSS 6, MEA 4)
COBIT principles — meeting stakeholder needs, covering enterprise end-to-end, single integrated framework, holistic approach, separating governance from management
COBIT Performance Management — capability levels 0–5
COBIT in IT audit — used as the framework to define what good IT governance looks like, test against, and report findings in terms of

ITIL (Information Technology Infrastructure Library)

ITIL 4 — IT service management framework
Service value system — value chain, practices, principles
Change Control — formal approval, testing, and documentation of changes
Incident Management — detection, logging, classification, resolution
Problem Management — root cause analysis, known error management
Configuration Management — CMDB, asset tracking
Service Level Management — SLAs, OLAs, reporting
ITIL in IT audit — used to evaluate change management and computer operations controls

NIST Frameworks for IT Audit

NIST CSF 2.0 — used to assess security control coverage
NIST SP 800-53 — control catalog used in federal IT audits, FedRAMP
NIST SP 800-171 — CUI protection controls for CMMC
NIST AI RMF — emerging framework for AI governance auditing

ISO Standards

ISO/IEC 27001 — ISMS requirements; used as audit criteria for certification audits
ISO/IEC 27002 — control guidance; used to evaluate control design
ISO/IEC 38500 — corporate governance of information technology; board oversight of IT
ISO 31000 — risk management principles and guidelines

IT General Controls — Logical Access

User provisioning — formal request, approval, implementation
User modifications — role changes, access expansions
User terminations — timely revocation upon departure
Access reviews — periodic recertification of user access
Privileged access — admin account management, just-in-time access
Password policies — complexity, length, rotation, lockout
MFA — implementation on critical systems, remote access
Service accounts — management, rotation, monitoring
Shared accounts — justification, controls, monitoring

IT General Controls — Change Management

Change request — formal documentation of proposed change
Change assessment — impact and risk evaluation
Change approval — segregation of duties (requester ≠ approver ≠ implementer)
Change testing — in non-production environment before production
Change documentation — what changed, when, by whom
Emergency changes — expedited process with retrospective approval
Version control — code repository management

IT General Controls — Computer Operations

Job scheduling — automated job monitoring, failure alerting
Backup and recovery — backup frequency, testing, offsite/cloud storage
Capacity management — monitoring, thresholds, planning
Incident management — detection, logging, escalation, resolution
Disaster recovery — documented procedures, testing frequency, RTO/RPO
Environmental controls — temperature, fire suppression, power (UPS, generator)
Physical access — data center badge access logs, visitor management

IT General Controls — System Development (SDLC)

Development methodology — formal SDLC or Agile process documentation
Requirements documentation — security requirements in system design
Code review — peer review or automated scanning
Segregation of environments — dev/test/staging/production separation
Promotion controls — formal process for moving code to production
User acceptance testing (UAT) — business sign-off before go-live
Post-implementation review — confirming system meets requirements

Resources

ISACA COBIT 2019 (isaca.org, free introduction)
ITIL 4 Foundation study materials
NIST frameworks (nist.gov, free)
CISA Review Manual (paid, essential)

Stage 04

Audit Evidence & Testing Methodology

Audit quality is determined by the quality of evidence. IT auditors must know how to design tests, collect evidence, and reach defensible conclusions.

Evidence Standards

Sufficient — enough to support the conclusion (sample size, population coverage)
Appropriate — relevant to the objective and reliable as to source and nature
Evidence hierarchy — system-generated output (highest), direct observation, re-performance, third-party documentation, management representations (lowest)
Corroborating evidence — using multiple evidence types to increase assurance

Testing Approaches

Walkthrough — select representative transaction, trace from initiation to completion, observe documentation at each control point, identify where controls exist and might fail
Design effectiveness — does the control address the risk as designed, properly documented, ownership assigned, exceptions handled
Operating effectiveness — performed consistently, by right person, documented appropriately, complete and accurate
Testing frequency — automated controls one point-in-time, manual controls 25 samples for year, high-volume statistical sampling

Audit Sampling

Statistical sampling — attribute (pass/fail) and variables (monetary amount); tolerable error rate
Non-statistical (judgmental) sampling — based on auditor judgment, acceptable when documented
Common sample sizes — population 1–49 may test 100%, 50–249 typically 25–30, 250+ 60 for high-risk / 25 for lower risk
Sample selection methods — random, systematic, haphazard

CAATs

Purpose — using technology to test larger populations, identify anomalies, improve efficiency
Excel — VLOOKUP/INDEX-MATCH (matching access lists vs HR terms), pivot tables, conditional formatting, filters/sorting, data validation
SQL — SELECT/FROM/WHERE/JOIN/GROUP BY/HAVING/ORDER BY; joining HR + AD to find terminated users with active accounts; aggregation for SOD; finding duplicates and gaps
IDEA (Interactive Data Extraction and Analysis) — purpose-built audit analytics tool
ACL Analytics / Galvanize — enterprise audit analytics platform
Tableau / Power BI — data visualization for audit reporting and anomaly detection
Python / R — advanced analytics for large datasets, pattern detection

Common ITGC Test Procedures — Logical Access

User access review testing — obtain population of active accounts, HR termination list; join; identify terminated with active; sample of access reviews; obtain evidence of review and remediation
Privileged access testing — list of admin accounts, verify authorized and justified, test for shared admin accounts, verify MFA on privileged
User provisioning testing — sample of new users; obtain access request, approval, implementation evidence; verify appropriate authorization
Termination testing — sample of terminated employees; verify accounts disabled within policy; inspect evidence of revocation

Common ITGC Test Procedures — Change Management

Change approval testing — population of changes; sample; obtain change request, authorized approval, testing, deployment evidence; verify no deployments without approval
Emergency change testing — emergency change population; verify retrospective approval within policy timeframe
Segregation of duties testing — verify developers cannot deploy to production; sample of production deployments; confirm deployer differs from developer

Common ITGC Test Procedures — Computer Operations

Backup testing — backup completion logs; verify success throughout period; obtain restoration test evidence
Job scheduling — automated job schedule, sample of critical jobs, verify completion and failure notification

Workpaper Standards

Workpaper elements — objective, population, sample, procedures, results (exception by exception), conclusion, cross-references, reviewer signoff

Resources

ISACA CISA Review Manual (essential, paid)
IIA IPPF (member download)
AICPA Audit Guide (paid)
IDEA Software community resources (free tutorials)

Stage 05

SOX IT Audit

SOX Section 404 drives a significant portion of IT audit work at public companies. Understanding the SOX ITGC testing cycle is essential for any auditor targeting finance, banking, or Big Four roles.

SOX Overview for IT Auditors

Why SOX matters — requires management to assess and external auditors to attest to the effectiveness of ICFR
IT audit's role — ITGCs underlie reliability of financial data; weak ITGCs mean financial data cannot be trusted
Material weakness vs significant deficiency vs control deficiency — control deficiency, significant deficiency, material weakness (reasonable possibility of material misstatement)
Scope determination — which IT systems are in-scope (systems that directly feed financial reports)
Top-down, risk-based approach — starting with financial statement line items, tracing to systems, identifying relevant controls

ITGC Testing for SOX

Testing period — full year (January–December for calendar-year companies)
Rollforward — updating testing for the period between interim testing and year-end
PCAOB standards — AS 2201 for external auditors; internal audit uses this framework for reliance
Integrated audit — external auditors testing financial controls and IT controls simultaneously
Reliance on internal audit — external auditors can rely if it meets their standards
Management testing — Section 404(a); external auditors attest under 404(b)
Documentation requirements — formal workpapers, matrices of control attributes and test results

ITGC Scoping for SOX

In-scope systems — ERP (SAP, Oracle, NetSuite), financial reporting, consolidation, supporting infrastructure
SAP audit controls — user roles, transaction codes (TCODES), segregation of duties analysis
Oracle ERP audit — responsibilities, profiles, concurrent programs
NetSuite audit — roles, permissions, workflows
Segregation of duties (SOD) matrix — conflicting roles (create+approve vendor payment, record+approve journal entry, set up employee+approve payroll, initiate+release wire)

SOX ITGC Finding Examples

Terminated employee with active system access 30+ days after termination — Logical Access
Change deployed to production without documented approval — Change Management
Quarterly access review not completed — Logical Access
DBA with read access to production financial data without business justification — Logical Access
Backup restoration test not performed during the period — Computer Operations

Resources

PCAOB AS 2201 (pcaobus.org, free)
Big Four SOX guides (publicly available summaries)
ISACA SOX compliance resources (free member content)

Stage 06

Cloud & Emerging Technology Audit

IT audit scope has expanded significantly with cloud migration. Auditors who cannot assess cloud environments are increasingly behind.

Cloud Audit Fundamentals

IaaS — provider responsible for hardware/hypervisor; customer for OS, patching, access controls, logging
PaaS — provider responsible for runtime/middleware/OS; customer for application, data, access
SaaS — provider responsible for application/infrastructure; customer for user access and data
Cloud governance — cloud account management, tagging, spending controls
IAM — cloud IAM policies, roles, service accounts, MFA on console access, access key rotation
Logging — CloudTrail enabled in all regions, log integrity, log retention
Encryption — S3 encryption, EBS encryption, encryption key management (KMS)
Network — security groups (no 0.0.0.0/0 on sensitive ports), VPC architecture, public vs private resources
Configuration management — IaC vs manual changes, drift detection

AWS Audit Procedures

CloudTrail — verifying enabled in all regions, log file integrity validation, centralized in audit account
Config — rules enabled, compliance status, recording all resource types
Security Hub — reviewing findings, enabled standards (CIS, FSBP)
IAM — root MFA, no active root access keys, MFA on privileged users, access key age, unused credentials
S3 — public access block, bucket policies, encryption configuration, versioning
EC2 — security group rules, patch compliance, inspector findings
KMS — key rotation, key policies reviewed, usage monitoring

Azure Audit Procedures

Entra ID — MFA enforcement, conditional access, privileged access reviews, guest account management
Defender for Cloud — Secure Score, security recommendations, regulatory compliance
Activity Log — retention settings, diagnostic settings, log analytics workspace
Azure Policy — compliance state, policy assignments, non-compliant resources
Key Vault — access policies, soft delete, purge protection, secret rotation

Container and Kubernetes Audit

Container image scanning — Trivy, ECR scanning; identifying vulnerable images in use
Kubernetes RBAC — cluster-admin role bindings, service account permissions, audit of privileged roles
Pod security — privileged containers, host path mounts, root container execution
Secrets management — secrets stored in etcd, external secrets manager integration

AI Governance Audit

AI governance — ISACA flagged as top priority for 2025 audit functions
AI inventory — documenting AI systems, purpose, training data, decision authority
AI risk assessment — bias, explainability, accuracy, security, privacy risks
AI controls — model validation, monitoring, human oversight, input validation
EU AI Act compliance — prohibited AI practices, high-risk AI system obligations
AI vendor assessment — reviewing AI provider security and governance practices

Resources

AWS Well-Architected Security Pillar (free)
AWS Audit Manager (free to try)
ISACA Cloud Auditing guidance (free member content)
CSA Cloud Controls Matrix (free)

Stage 07

Reporting & Communication

IT audit findings must be communicated clearly to technical and non-technical audiences. Finding quality and communication skill determine career progression.

Audit Finding Structure

Condition — what is (what the auditor observed)
Criteria — what should be (the standard or requirement being violated)
Cause — why the gap exists (root cause analysis)
Effect / Risk — so what (what could go wrong if not addressed)
Recommendation — what should be done (specific, actionable)
Management response — agreed remediation plan with owner and target date

Finding Rating Criteria

High/Critical — immediate risk of material impact on financial reporting, data security, or regulatory compliance
Medium/Significant — important risk that should be addressed promptly but not immediately threatening
Low/Minor — best practice improvement, limited risk exposure
Informational — observation with no current risk, improvement opportunity

Writing Quality

Clear condition statement — specific test result, sample size, exception count
Specific criteria — citing policy section or framework requirement
Root cause clarity — why the gap exists (e.g., absence of automated trigger between HR and AD)
Business risk framing — translating technical issue to business impact language
SMART recommendation — specific implementation plan with owner and target date

Audit Report Structure

Executive summary — overall opinion, rating summary, key themes
Scope and objectives — what was audited and why
Methodology — how testing was conducted
Findings — individual findings in priority order
Management responses — agreed remediation plans
Appendix — detailed testing results, supporting data

Communicating with Technical and Non-Technical Audiences

Walkthrough meetings — explaining your understanding of their processes; invite correction
Finding discussion — presenting draft findings to management for factual accuracy
Avoiding gotcha culture — collaborative relationship with IT management improves outcomes
Technical credibility — demonstrated by asking specific questions and understanding answers
Audit committee reporting — overall risk posture, material findings, management responsiveness
Translating technical findings — business-language framing instead of jargon
Risk quantification — translating control failures into financial or reputational risk language

Resources

IIA Communication standards (free member content)
Big Four audit report examples (publicly available)
ISACA IS Audit Standards 1400 series (free)

Stage 08

Specialized IT Audit Areas

Building depth in a specialty area accelerates career progression and increases compensation.

ERP Audit (SAP / Oracle)

SAP transaction codes (T-codes) — access to specific functions (FB60 vendor invoice, F-58 payment run)
SAP roles — collections of T-codes determining what a user can do
SOD analysis tools — Fastpath, SAP GRC to identify SOD conflicts
Table-level access — SE16/SE16N direct table read access bypasses application controls
Basis controls — system parameters, password rules, audit logging settings
Change transport system — SAP's change management mechanism
Oracle ERP responsibilities — collections of functions assigned to users
Oracle Profiles and menus — determining function access
Oracle Concurrent programs — automated batch processes and access controls
Oracle Workflow — approval routing controls

Database Audit

SQL Server audit — login auditing, object-level auditing, SQL Server Audit feature
Oracle Database audit — Unified Auditing, Fine-Grained Auditing, DBMS_AUDIT_MGMT
Database activity monitoring (DAM) — Imperva, IBM Guardium
Privileged database access — DBA accounts, stored procedures, direct table access
Unstructured data access — file servers, SharePoint; access reviews and DLP

Cybersecurity Audit

Security control framework assessment — NIST CSF, CIS Controls maturity evaluation
Vulnerability management program audit — scanning coverage, remediation timeliness, exception tracking
Penetration test oversight — reviewing scope, findings, and remediation validation
Security monitoring audit — SIEM coverage, alert tuning, SOC processes, IR testing
Identity and access management program audit — provisioning controls, access reviews, PAM implementation
Data encryption audit — at-rest and in-transit coverage, key management practices

Business Continuity / Disaster Recovery Audit

BCP/DR plan documentation — completeness, currency, executive approval
RTO/RPO validation — testing whether documented recovery times are achievable
DR test results — evidence of testing, gaps identified, remediation actions
Backup testing — restoration test evidence, offsite/cloud backup verification
Third-party DR dependencies — vendor BCP/DR assessment integration

Privacy and Data Protection Audit

Data inventory and mapping — documented understanding of what personal data exists and where
Consent management — mechanisms for obtaining, recording, and honoring consent
Data subject request fulfillment — process for handling access, erasure, portability requests
Cross-border transfer mechanisms — SCCs, adequacy decisions, BCRs
Privacy impact assessments — conducted for high-risk processing, documented

Resources

ISACA SAP Audit Guide (member content)
Oracle audit resources (free documentation)
AICPA cybersecurity framework (free)
NIST SP 800-34 BCP guide (free)

Stage 09

Hands-On Practice & Portfolio

Practice Activities

Conduct a mock ITGC assessment — design test procedures for the four ITGC domains
Build an audit workpaper — document a complete logical access control test
Analyze sample data — public dataset; SQL or Excel to identify control exceptions
Write a finding — condition/criteria/cause/effect/recommendation format
Review a SOC 2 report — read SaaS company trust center reports; identify controls, test procedures, exceptions
Practice CAAT techniques — Excel VLOOKUP to match user access list against termination list

Certifications to Pursue

CISA study — five domains (audit process, governance, acquisition/development, operations, asset protection); CISA Associate before full experience
CIA (Certified Internal Auditor) — IIA credential; three parts; can be pursued without 5-year experience for part 1

What to Document on LabList

Mock audit workpapers — documented test procedures and conclusions for ITGC testing
Audit finding samples — 2–3 written findings in formal format with different severity levels
Data analysis scripts — Excel workbooks or SQL scripts used for audit analytics
Framework knowledge — documented mapping of ITGC controls to COBIT, COSO, and compliance frameworks
Cert progression — Security+ → CISA Associate documented with study plan
Industry specialization — sector-specific regulations (SOX finance, HIPAA healthcare, CMMC defense)

FAQ

Common questions

How long does it take to become an IT Auditor?

18–24 months optimistic at 20–25 hours/week, 2–3 years realistic. IT audit is accessible from finance, accounting, or IT backgrounds. The Big Four firms (Deloitte, PwC, EY, KPMG) hire entry-level IT audit associates and provide structured CISA preparation — this is the most common entry path. Pure self-taught entry is harder because the role demands audit methodology that's typically learned on the job.

Which certifications matter for IT audit?

CISA is the gold standard, listed as required or preferred in the majority of IT audit postings. CIA (Certified Internal Auditor) for internal audit roles. CISSP for senior audit roles with security governance scope. CRISC for risk-heavy audit roles. CGEIT for IT governance focus. CISA Associate (exam passed, experience pending) is increasingly accepted for entry-level roles. 170,000+ CISA holders globally — the cert is genuinely valued.

Do I need an accounting or CS degree?

Helpful but not required. Big Four IT audit hires bachelor's degrees from many disciplines, then trains internally. Accounting majors transition fastest because audit methodology overlaps. CS or information systems majors transition fastest into the technical depth. Self-taught paths into IT audit are harder than into pure security because the role rewards traditional audit credibility. The 16,100 new IT auditor jobs projected 2025–2030 are largely filled by Big Four pipelines.

What separates a hired IT Auditor?

Audit methodology fluency. ITGC testing knowledge, CAATs proficiency (Excel + SQL data analysis at scale), and finding-writing skill. Hiring interviews routinely present scenarios — given a control test exception, walk through the testing methodology, sample selection, evidence requirements, and conclusion. Generalists with security backgrounds but no audit methodology lose. Big Four, financial services, and SOX-driven enterprises are the largest employers.

IT Auditor

Common questions

Related roles