Technology-Informed Audit vs Specialist IT Audit
Not all IT audit work requires the same level of technical expertise. Specialist IT audit work — penetration testing, vulnerability assessments, configuration review of specific technical systems, forensic investigation of system logs — does require technical credentials that most financial auditors do not have. But a substantial proportion of IT audit work falls into a different category: assessing whether IT governance is adequate, whether IT general controls are designed and operating effectively, and whether IT risk is appropriately managed. This category of work — technology-informed audit — is accessible to competent auditors with moderate investment in IT control knowledge.
IT General Controls: The Starting Point
IT general controls (ITGCs) are the organisation-wide controls governing how all IT systems are managed, secured, and changed. The four primary ITGC domains are: access management (who can access what systems and data, and how is access authorised, reviewed, and revoked); change management (how changes to IT systems are tested, approved, and implemented); computer operations (how systems are monitored, incidents managed, and backup/recovery processes work); and program development (how new systems and major enhancements are developed, tested, and implemented).
For each domain, the core audit question is governance, not technical: Does the organisation have clear policies and procedures? Are they being followed? Is there evidence of review and authorisation at appropriate levels? These questions can be answered by a competent auditor with moderate IT control knowledge.
User Access Review: The Highest-Impact Starting Point
For non-technical auditors beginning to incorporate IT scope, user access review is the highest-impact starting point. A basic user access review requires: obtaining the user access listing from IT; comparing it against the active employee listing from HR; identifying users with access to systems they don't need (excessive access); identifying accounts for former employees not yet revoked (orphan accounts); assessing whether segregation of duties conflicts exist (the same person can both create vendors and approve payments); and reviewing whether access reviews are substantive rather than rubber-stamp.
Practical Interview Questions That Require No Technical Knowledge
Non-technical auditors are often uncertain about what to ask IT management. These questions require no technical expertise: How are new user accounts created and who approves them? What happens when an employee leaves — how quickly is access removed? How are changes to production systems tested and approved before implementation? Who monitors system availability and how are outages escalated? When was the last time backup recovery was tested? Can the same person both create and approve a transaction? These questions surface governance failures that are fundamentally risk management issues — not technical configuration issues.
When to Bring in a Specialist
Technical configuration reviews — assessing database access controls, reviewing firewall rule sets, evaluating cryptographic implementations — require technical credentials and should not be attempted without appropriate expertise. Knowing what requires specialist expertise is as important as knowing what can be done without it. The governance and process elements of IT audit can and should be performed by all audit team members. Technical elements should be co-sourced with certified IT audit specialists (CISA-credentialed professionals, cybersecurity specialists) when the audit plan identifies technical assessment needs that exceed the function's internal capability.