I’ve tackled this subject a couple of times in recent posts in a cursory manner, but feel that it is probably time to elaborate on the subject. An IT auditor’s challenge out in the field is not getting any less complex. Systems are evolving to become seamless, integrated cloud services to the end-user, while the internals of such systems are integrated in a complex computing architecture. The risks associated with this complexity are amplified when the professionals that are checking the integrity of these systems do not understand the technology, have no practical administration or configuration experience, and do not have the necessary knowledge to understand how these systems interact. Even if from the lowest, impractical level, knowing where to look and how to analyze the data related to system interactions is probably the most important skill for an IT or security auditor.
Let’s explain this importance using an analogy that many of us can relate to – the financial auditor or accountant. An accountant studies two years of double-entry accounting. The first year is basic required knowledge related to generally accepted accounting principles (GAAP), and the second year is accounting related to public entities, sometimes termed budget accounting, and beginning finance. The third year accounting student then moves into more exotic accounting principles related to tax, studies audit principles and other important subjects.
After this accounting student finishes studying, graduates, and moves on to prepare for, or passes, the CPA examination, he/she assumes employment at an accounting firm and achieves the necessary experience and becomes a Chartered Accountant or a Certified Public Accountant. Then after two or more years of auditing while employed with an accounting firm, most accountants lose touch of the details of double-entry accounting. They know how to check the transactions for correctness quite effectively, but if you hand them a cancelled check and ask them which account gets debited and which account gets credited, most have to think hard before they answer. An uncertified bookkeeper sitting in the accounting office at a company can usually answer that question quicker and more accurately.

Back to the subject….. just like an accountant, in order to audit systems, an IT auditor needs the necessary knowledge foundation to be able to check at a low level, system interactions and how those interactions are logged. With enterprise GRC and products that check high-level systems controls on a real-time basis, the IT auditors role of checking such controls will fade. Furthermore, fewer clients are willing to pay for paper IT auditors that walk in and only review paperwork related to systems management. The future of the IT auditor is an individual that can provide services that demonstrate a technical foundation.
One example, is the recently growing subject of security metrics; which a subject that covers how we holistically measure the security of our environments. An IT auditor that does not understand systems interaction, log review, and in some cases, code review, will never be able to successfully deliver such services NOR evaluate such systems. Another example are the real-time reporting systems that are currently implemented around products such as ArcSight. If you do not know the logging systems and system interaction in that case, it would be impossible to analyze the proper setup of such systems. The future of audit is leaning more toward a low-level systems technician with strong statistical math skills.
I discuss the future of our profession (both IT audit and security) on these terms and many Big Four partners laugh… a scary reaction that confirms the degree that some who are ‘leading’ our profession are out of touch.