Torchora
Back to Home

Key Responsibilities and Required Skills for IT Audit Manager

💰 $110,000 - $160,000 (USD)

AuditInformation TechnologyRisk & Compliance

🎯 Role Definition

The IT Audit Manager is a senior risk and assurance professional responsible for planning and executing IT audit programs, assessing IT general controls (ITGC) and application controls, driving remediation of control gaps, and advising business and technology stakeholders on risk mitigation. This role requires deep experience in IT auditing standards (COSO, COBIT), regulatory frameworks (SOX, PCI-DSS, GDPR), cloud and on-premise environments, and strong stakeholder management to translate technical findings into business-aligned remediation plans.

📈 Career Progression

Typical Career Path

Entry Point From:

  • Senior IT Auditor with experience executing complex ITGC and application control audits.
  • IT Risk Analyst or IT Compliance Analyst with experience in SOX compliance or regulatory programs.
  • Information Security Engineer/Analyst transitioning into audit and risk assurance.

Advancement To:

  • Director of IT Audit or Head of IT Audit & Compliance.
  • Chief Audit Executive (CAE) or Senior Director, Internal Audit (with broader audit scope).
  • Head of IT Risk Management or Chief Information Security Officer (CISO) for technical leaders with security focus.

Lateral Moves:

  • IT Risk & Compliance Manager (focusing on policy and risk frameworks).
  • IT Controls / SOX Controls Manager (specializing in financial controls and remediation).
  • Information Security Program Manager (operational security leadership).

Core Responsibilities

Primary Functions

  • Lead the end-to-end IT audit lifecycle: develop risk-based audit plans, define scope and objectives, create test plans, execute fieldwork, document findings, and present clear audit reports to senior leadership and audit committees.
  • Design and maintain a cyclical IT audit calendar that aligns with enterprise risk priorities, regulatory requirements (SOX, PCI-DSS, GDPR), and business transformation initiatives such as ERP, cloud migration, and digital services.
  • Perform in-depth assessments of IT General Controls (ITGC) including access management, change management, backup and recovery, segregation of duties (SoD), and system development lifecycle (SDLC) controls, documenting deficiencies and control effectiveness.
  • Evaluate application and process-level controls for critical systems (ERP, CRM, payroll, financial close systems) to ensure integrity of data, accuracy of transactions, and adherence to business owner control matrices.
  • Conduct comprehensive risk assessments and control gap analyses for cloud environments (AWS, Azure, Google Cloud), including cloud configuration, identity and access management, encryption, logging, and vendor management controls.
  • Assess cybersecurity posture and controls by reviewing vulnerability management, patch management, network segmentation, endpoint security, incident response plans, and security monitoring capabilities; escalate material risks.
  • Lead SOX IT control testing programs: coordinate with finance, business process owners, and external auditors to support control design testing, operating effectiveness testing, evidence collection, and remediation tracking.
  • Develop clear, prioritized remediation plans with IT and business stakeholders; drive remediation project tracking, root-cause analysis, timeline commitments, and verification of corrective actions to closure.
  • Manage and mentor a team of IT auditors and specialists: assign engagements, review workpapers and findings, provide coaching, and develop technical audit capabilities across the team.
  • Prepare and deliver concise, executive-level dashboards and status reports highlighting control effectiveness, risk trends, remediation status, and key performance indicators (KPIs) for the audit committee and senior management.
  • Coordinate with external auditors and regulators during IT audit activities, facilitating documentation requests, walkthroughs, testing support, and timely resolution of external audit findings.
  • Use data analytics and continuous auditing techniques to identify anomalous transactions, risky configurations, and process exceptions; incorporate automated testing where appropriate to increase audit coverage and efficiency.
  • Evaluate third-party and vendor risk related to hosted services, SaaS applications, and outsourced IT activities; perform vendor control reviews and assess vendor compliance with contractual and regulatory requirements.
  • Lead audits of major technology initiatives and projects (ERP implementations, cloud migrations, service platform rollouts), focusing on control design, segregation of duties, test environments, and data migration risks.
  • Ensure audit methodologies, templates, and workpapers comply with professional standards (IIA standards) and maintain high quality documentation suitable for internal and external review.
  • Translate technical findings into business-focused recommendations that include risk impact, remediation options, estimated effort, and monitoring suggestions to aid decision-making by non-technical stakeholders.
  • Maintain and enhance the IT audit knowledge base: keep abreast of evolving threats, technologies (cloud, containers, microservices), regulatory changes, and control frameworks to update audit programs and protocols.
  • Facilitate control self-assessment workshops with process and control owners to strengthen control ownership, increase awareness, and proactively reduce audit findings in subsequent cycles.
  • Drive continuous improvement of the IT audit function by identifying opportunities for automation of testing, standardizing procedures, and implementing audit management tools to increase efficiency and transparency.
  • Oversee incident post-mortem reviews from an audit perspective, assessing whether controls functioned as intended, and recommending improvements to prevent recurrence and strengthen detection and response capabilities.
  • Manage audit budgets, resource planning, and vendor relationships for specialized audit services (penetration testing, cloud security reviews), ensuring alignment with organizational priorities and cost-effective delivery.
  • Ensure compliance with privacy and data protection laws (GDPR, CCPA) during audit activities by managing data access, minimization, secure handling of evidence, and coordination with privacy teams when PII is involved.
  • Provide advisory support to project teams and IT leadership on emerging risks and control requirements for new initiatives, enabling “control by design” practices during system build and deployment.

Secondary Functions

  • Support ad-hoc risk assessments and special investigations, including fraud investigations, compliance escalations, and complex cross-functional issues requiring technical audit expertise.
  • Build and maintain relationships with IT operations, security, finance, legal, and business process owners to embed control thinking across the organization.
  • Contribute to the organization's control framework and policy updates, recommending enhancements to SOPs, control documentation, and governance processes.
  • Drive internal training programs for control owners and process teams on IT audit expectations, SOX requirements, access management best practices, and evidence preparation.
  • Participate in vendor selection and oversight for security testing partners, audit management platforms, and analytics vendors; define scopes and evaluate deliverables.
  • Assist in scoping and implementing continuous monitoring solutions (SIEM tuning, automated alerts, control dashboards) to reduce manual testing and provide faster risk detection.
  • Contribute to enterprise risk committee meetings by preparing materials and briefing senior leaders on IT control trends, remediation status, and emerging risk exposures.

Required Skills & Competencies

Hard Skills (Technical)

  • IT Audit Methodology (risk-based audit planning, workpapers, sampling and testing techniques).
  • SOX Compliance & Controls Testing (ITGC and application control testing).
  • Frameworks & Standards: COBIT, COSO, ISO 27001, NIST Cybersecurity Framework.
  • Cloud Security Controls (AWS, Azure, Google Cloud) — cloud IAM, encryption, network controls, logging.
  • IT Infrastructure & Architecture knowledge (servers, virtualisation, networking, database administration).
  • Application Controls and ERP Security (SAP, Oracle, Workday) — role design, SoD, change controls.
  • Security Operations & Incident Response (SIEM, endpoint protection, vulnerability management).
  • Data Analytics for Audit (SQL, Power BI/Tableau, Python or R for analytics and automation).
  • Regulatory & Privacy Compliance (PCI-DSS, GDPR, HIPAA, CCPA) and related evidence requirements.
  • Penetration testing and vulnerability assessment interpretation (coordination with security testing teams).
  • Audit management and GRC tools (Archer, ServiceNow GRC, TeamMate, Galvanize/Benford).
  • Controls remediation project management and remediation verification techniques.
  • Technical writing & report creation for executive and board-level communications.

Soft Skills

  • Strong stakeholder management and executive presence — ability to influence technical and non-technical leaders.
  • Strategic risk thinking with practical business-oriented recommendations.
  • Excellent written and verbal communication — distilling technical issues into concise business impacts.
  • Coaching and people leadership — mentoring auditors and building a high-performance team.
  • Critical thinking, investigative mindset, and attention to detail during evidence evaluation.
  • Project management and prioritization skills in a fast-paced, multi-project environment.
  • Collaboration and negotiation — working with cross-functional teams to reach remediation commitments.
  • Adaptability to new technologies and evolving threat landscapes.

Education & Experience

Educational Background

Minimum Education:

  • Bachelor's degree in Information Systems, Computer Science, Accounting, Information Security, or related field.

Preferred Education:

  • Master’s degree in Information Systems, MBA with technology focus, or MSc in Cybersecurity.

Relevant Fields of Study:

  • Information Technology
  • Computer Science
  • Accounting / Finance
  • Information Security / Cybersecurity
  • Risk Management / Business Administration

Experience Requirements

Typical Experience Range:

  • 6–12+ years of progressive IT audit, IT risk, or information security experience, with at least 3–5 years in a lead or managerial audit role.

Preferred:

  • Experience managing SOX programs and coordinating with external auditors.
  • Demonstrated experience auditing cloud platforms, ERP systems, and security operations.
  • Professional certifications such as CISA, CISSP, CRISC, CIA, or CPA are highly desirable.
  • Prior experience working in large, complex organizations or regulated industries (financial services, healthcare, technology).
  • Proven track record of leading remediation programs and delivering executive-level reporting.
Explore More Careers