Copyright 2003 Information Systems Audit and Control Association. All rights reserved. www.isaca.org.

IT Audit Career Development Plan

By Frederick Gallegos, CISA, CGFM, CDE

efore entering the field of IT auditing, one must understand that it is a field of continuous and constant change. Therefore, IT auditors must look ahead at their future and develop a plan focusing on what they hope to attain in their career, whether formal or informal. Either way, the plan should help one attain most career goals. The career development plan also is a way to find out if an organization values the IT audit process. Investing in human resources can go a long way in attracting and retaining skilled, talented staff. Typically, a functional, successful and formal career development plan consists of at least six major components that must be integrated into an established process within the organization. These components are: Career path planning with management support Definition of knowledge, skills and abilities Performance assessment Performance counseling/feedback Training Professional development Each element is a necessary component of an effective career development plan; however, the most critical of these components is the first, as it is related to the IT auditor.

Effective Career Path Planning Needs Management Support

The establishment of the career development planning process must begin with the support of management in the organization. The support requires a commitment from management to acknowledge and define horizontal and vertical career path opportunities within the organization. This means that the IT auditor could make IT audit a career or use it as a steppingstone into corporate management. The IT audit career path can offer professionals tremendous diversity in their career. Management must support such diversity and job opportunity. Often, management support can help infuse an organization with knowledge, skills and abilities to implement change. Without support, IS audit staff will view career opportunities with mixed emotions and doubt. This can cause the eventual loss of employees to outside concerns because the opportunities are similar. An example of this would be an IT audit professional who starts with a large CPA firm and, after four years, moves to an IT audit manager position in a private firm. After another three to four years, this audit professional transfers to an audit director position with another firm. External opportunities will be sought by employees who are not satisfied with their own career development or advancement. The organizations management must ask itself a serious

question: Can management continue to afford to bring new staff into these critical positions and train and develop them, only to lose them to opportunities outside the organization? With a good career development plan, organizations are building resources who are knowledgeable about the life systems of the organization and who have strong skills in IT technologies, audit methods, communication and administration. Such a person is an ideal candidate for managing or integrating new technologies into the operating environment of an organization. If one plans to enter this field, it is important to look closely at the institution to learn if it has in place and supports career development planning. The other components should be part of the career development planning process and career plan. The organization should be able to tell entering professionals what the career path looks like and define the knowledge, skills and abilities needed to advance to the next level. Next are the components of performance assessment and performance counseling. Performance assessment should be given at least twice a year by a manager or supervisor to tell auditors how they are performing compared to the knowledge, skills and abilities of that level. Performance counseling and feedback inform auditors how they performed their work in accordance with the audit objectives of that assignment and what they can do to improve their audit performance and the knowledge, skills and abilities needed to reach the next level. Added skills can be reached through training, so an organizations commitment to provide the necessary training when needed is a critical measure of the organizations commitment to career development planning. One also must understand that training provides added skill, but the measure of whether one has learned the skill is in application. Application demonstrates the knowledge individuals have gained and their ability to do the required work. The last component, but not the least, is professional development. If the organization supports individual involvement in the professional community or in a professional association, give that company the highest marks. It is supporting professional development by allowing auditors to network with their peers and associates in this field. Through this process, individuals can gain access to new methods, techniques, best practices and the awareness that they and their colleagues are not alone in this challenging and ever-changing field. If the organization does not engage in professional development, then it is a signal to look elsewhere or invest in oneself. Some organizations, due to tight budgets or the economy, may not be able to offer full or partial reimbursement support. However, they may allow time off to participate. Therefore, individuals in the IT auditing field have to invest in themselves to maintain their currency and development to practice their trade.

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 2, 2003

Conclusion
One could go on and on about career development planning and the process. Development of staff was a key factor in this authors success in this field. It can be in anyones, too. However, behind all of this is the need for management support and commitment to the process. Career planning can be formal or informal. If informal, then individuals must be responsible for the paths they seek and take the steps necessary to gain the knowledge, skills and abilities of their tradetheir career.

Frederick Gallegos, CISA, CGFM, CDE is an adjunct professor and MSBA information systems audit advisor for the Computer Information Systems Department, College of Business Administration, California State Polytechnic University, Pomona, California, USA. He has more than 30 years experience in the information systems audit, control and security field. He has taught undergraduate and graduate courses in the IS audit, security and control field and is published widely.

References
Gallegos, Frederick; IS Audit Career Development Planning, Auerbach/RIA Group Publishers, New York, USA, 1997, pp. 1-11 Gallegos, Frederick; Sandra Allen-Senft; Daniel P. Manson; Information Technology Control and Audit, Auerbach /CRC Press, June 1999, chapter 16 and 17 Weber, Ron; Information Systems Control and Audit, Prentice Hall, 1999

Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the Information Systems Audit and Control Association, Inc.. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal. Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit and Control Association and/or the IT Governance Institute and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content. Copyright 2003 by Information Systems Audit and Control Association Inc., formerly the EDP Auditors Association. All rights reserved. ISCATM Information Systems Control AssociationTM Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25 per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited. www.isaca.org

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 2, 2003