← Back to All Courses
Path B — IT Audit Analyst

You're not inside
the company.
You're auditing it.

Path B puts you in the auditor's seat — independent, sceptical, and evidence-driven. You plan audits, execute ITGC tests in a live SAP system, write professional findings, and communicate results to management. You graduate with 20 audit documents and the experience of one complete IT audit engagement.

Enrol Now → See How It Works
What you graduate with
20
Completed audit documents — workpapers, findings, reports, evidence assessments
8
IT Audit modules covering every skill in IT Auditor job descriptions
1
Complete IT audit engagement worth of practitioner experience in NovaTech S.A.
37
Years of Big 4 SAP GRC experience behind every lesson and worked example
Path B — IT Audit Analyst
You test controls. You write findings. You report to the Audit Committee.
  • You are independent — you do not operate the controls you test
  • You plan the audit, define scope, and assess risk before testing
  • You apply professional scepticism — you don't accept what management tells you without evidence
  • You write findings when controls fail — in 5 C's format, with severity, root cause, and recommendation
  • You communicate results to management and defend your conclusions under pushback
  • Your output is the audit report — a formal document reviewed by the Board
Path A — SOX Controls Analyst (for comparison)
You build controls. You prepare evidence. You present to auditors.
  • You are inside the company — part of the management controls team
  • You maintain the RCM, write control descriptions, and prepare testing evidence
  • You respond to auditor requests — your job is to demonstrate controls are working
  • You identify deficiencies and escalate — but management decides the response
  • You present walkthroughs to external auditors and answer their questions
  • Your output is the SOX testing file — reviewed by the Big 4 engagement team
How every lesson works

Five steps. One audit engagement.
Real output at every stage.

Path B follows the full IT audit engagement lifecycle — from planning through fieldwork, findings, reporting, and follow-up. Every lesson advances the engagement. Every deliverable is a real audit document.

Step 01
📄
Lesson Notes
Practitioner-written audit methodology from the auditor perspective. Every concept is applied to the NovaTech S.A. scenario — you are the IT Audit Analyst, not the controls team.
Read & Understand
Step 02
🔬
Lab Exercise
You log into the live SAP S/4HANA system and execute ITGC tests exactly as an IT auditor would. You extract populations, sample items, and evaluate evidence — then document what you find.
Test & Document
Step 03
📋
Audit Workpaper
You use your Lab results to produce a professional audit workpaper — testing approach, sample, results, exceptions, and conclusion. Written to be "sufficient for a stranger" — the Big 4 standard.
Build Portfolio
Step 04
Finding & Report
Where testing reveals exceptions, you write a formal finding using the 5 C's framework. In later modules, you compile findings into an audit report with executive summary and overall opinion.
Communicate Results
Step 05
🏆
Instructor Feedback
Your workpaper and findings are reviewed against gold standard examples — the same quality bar used in real Big 4 IT audit engagements. You receive specific feedback before advancing.
Refine & Advance
The NovaTech S.A. Scenario

Same company.
Different chair.
You are the auditor.

Path B is set inside NovaTech S.A. — the same fictional NYSE-listed energy company used in Path A. But while Path A trainees work inside the controls team, Path B trainees sit in the seat of Sofia Andrade, IT Audit Lead — and you are auditing their work.

You are independent. You do not operate the controls — you test them. You receive evidence from the controls team (your Path A colleagues in the scenario), evaluate it against professional standards, and determine whether it is sufficient. When it isn't, you request more. When controls fail, you write findings.

This creates a remarkably realistic training environment. The NovaTech scenario includes real characters (Marcus Obi, IT Security; Daniel Ferreira, Controls Manager), real access control findings (terminated employees, self-approved transports, SoD conflicts), and real management pushback scenarios — llcluding a CFO asking you to downgrade a finding.

"Auditors who have practiced handling pushback before they face it on a real engagement are visibly more confident. The NovaTech management challenges in Path B are designed to build exactly that muscle." — IT Audit Lead, Managing Partner | TIB Systems Llc. | 37+ Years Big 4 GRC Experience
Your Role — Path B
Your titleTrainee IT Audit Analyst
Your supervisorSofia Andrade, IT Audit Lead
Audit clientNovaTech S.A.
System under auditSAP S/4HANA 2023 (NTS)
Audit areaITGC — Access, Change Mgmt, Ops
Audit standardIIA Standards · PCAOB AS 2201
External auditBig 4 firm (in scope)
Reporting lineAudit Committee (independent)
Management contactsMarcus Obi · Daniel Ferreira
The 8-Module Programme

From planning to report.
The complete IT audit engagement.

Path B follows the IIA audit engagement lifecycle. Every module advances the NovaTech audit from initial planning through fieldwork, findings, reporting, and follow-up. Every lesson produces a document that would exist in a real audit file.

Module 1 · Week 1
Internal Audit — Purpose, Structure, and the Auditor's Mindset
3 lessons · 12 hours
You StudyYou Produce
  • What internal audit does — mandate, independence, Three Lines
  • Audit universe and annual planning — risk-based approach
  • Audit engagement lifecycle — five phases from planning to follow-up
  • NovaTech Internal Audit Function Overview
  • IT Audit Universe and Annual Plan (8 subjects, risk-ranked)
  • Audit Planning Memo — User Access Management engagement
Module 2 · Week 2
Risk Assessment — The Audit Foundation
2 lessons · 10 hours
You StudyYou Produce
  • Audit risk model: inherent risk × control risk × detection risk
  • Scoping an IT audit — population, in-scope systems, exclusions
  • Risk Assessment Memo (3 controls, full audit risk model)
  • Audit Scope Document — NovaTech UAM engagement
Module 3 · Weeks 3–4
Audit Testing — How IT Auditors Test Controls
4 lessons · 24 hours
You StudyYou Produce
  • Four testing methods: inquiry, observation, inspection, re-performance
  • Sampling: judgmental vs. statistical, sample sizes by frequency
  • SARA evidence standard — what counts and what doesn't
  • ITGC testing in practice — access, change, and operations end-to-end
  • Testing Methodology Note — NovaTech provisioning control
  • Sampling Methodology Note — population, N, n, rationale
  • Evidence Standards Assessment — SARA evaluation of 5 items
  • Combined ITGC Test Summary — access and change management
Module 4 · Week 4
Walkthroughs and Evidence Review — The Fieldwork Skills
2 lessons · 10 hours
You StudyYou Produce
  • Conducting walkthroughs from the auditor perspective — planning and execution
  • Reviewing evidence from the controls team — professional scepticism in practice
  • Walkthrough Documentation Memo (auditor perspective)
  • Evidence Sufficiency Assessment (accept / reject / supplement decisions)
Module 5 · Weeks 5–6
Identifying and Documenting Exceptions and Findings
2 lessons · 11 hours
You StudyYou Produce
  • Exception vs. finding — the three-step path from test result to formal finding
  • Writing audit findings — the 5 C's: Condition, Criteria, Cause, Consequence, Corrective Action
  • Exception Classification Memo (5 NovaTech test results rated)
  • Three complete audit findings in 5 C's format — access, change management, and operations
Module 6 · Weeks 6–7
SAP Audit Awareness — What IT Auditors Must Know
2 lessons · 10 hours
You StudyYou Produce
  • What auditors look for in SAP: SoD, sensitive access, configuration risks
  • Testing SAP access controls: terminated user test, UAR evaluation, parameter testing
  • SAP Risk Assessment Summary — SoD, sensitive access, key parameters
  • Terminated User Access Test Workpaper + UAR Evaluation Note
Module 7 · Week 7
Audit Documentation and Reporting
3 lessons · 16 hours
You StudyYou Produce
  • Audit workpapers — structure, "sufficient for a stranger" standard
  • The audit report — executive summary, findings section, overall opinion
  • Communicating results — no-surprises principle, management meetings, pushback
  • Complete Audit Workpaper — terminated user access test
  • Full IT Audit Report — executive summary, findings, opinion
  • Findings Meeting Preparation Pack — summary, pushback responses, management response template
Module 8 · Week 8
Job Preparation — Resume, LinkedIn, Interview, Strategy
2 lessons · 8 hours
You StudyYou Produce
  • IT Audit resume — ATS optimisation, IT audit keywords, portfolio framing
  • LinkedIn for IT audit professionals — profile, network, content strategy
  • Your complete IT Audit Analyst resume (ATS-optimised, NovaTech experience)
  • Full LinkedIn Profile Optimisation Plan + 10-connection outreach target list
Your Graduate Portfolio

You graduate with a complete
IT audit engagement file.

Every document you produce in Path B is a real audit deliverable — the kind that would exist in a Big 4 or internal audit working paper file. When an interviewer asks "have you conducted an IT audit?" you answer with specifics.

20
Portfolio Documents
6
Audit Workpapers
3
Formal Findings (5 C's)
1
Full Audit Report
M1 · L1
Internal Audit Function Overview
Mandate · Three Lines · independence analysis
M1 · L2
IT Audit Universe & Annual Plan
8 subjects · risk-ranked · priority 1/2/3
M1 · L3
Audit Planning Memo
Objective · scope · population · timeline
M2 · L1
Risk Assessment Memo
Audit risk model · 3 controls · sample implications
M2 · L2
Audit Scope Document
In-scope · exclusions · population defined
M3 · L1
Testing Methodology Note
4 methods · rationale · combination approach
M3 · L2
Sampling Methodology Note
N · n · method · PCAOB guidance applied
M3 · L3
Evidence Standards Assessment
5 items · SARA rated · remediation requested
M3 · L4
ITGC Test Summary Workpaper
Access + change management · exceptions documented
M4 · L1
Walkthrough Documentation Memo
Auditor perspective · gaps identified
M4 · L2
Evidence Sufficiency Assessment
Accept / reject / supplement decisions documented
M5 · L1
Exception Classification Memo
5 results · deficiency / sig. def. / MW rated
M5 · L2
Three Audit Findings (5 C's)
Access · change management · operations
M6 · L2
Terminated User Access Test Workpaper
SUIM · HR cross-reference · 1 confirmed finding
M7 · L1
Complete Audit Workpaper
Full format · "sufficient for a stranger" standard
M7 · L2
Full IT Audit Report
Executive summary · findings · overall opinion
M7 · L3
Findings Meeting Preparation Pack
Summary · pushback responses · management template
M8 · L1
IT Audit Analyst Resume
ATS-optimised · NovaTech audit experience
M8 · L2
LinkedIn Profile Optimisation Plan
Headline · About · outreach target list

Plus the SAP Risk Assessment Summary (M6-L1). Full portfolio inventory available to enrolled students in the Career Intelligence Library.

Mentoring & Feedback

Your work is reviewed against Big 4 audit quality standards.

Path B is taught by a Managing Partner and Principal Consultant with over 37 years of Big 4 SAP GRC practitioner experience. Every worked example in the programme reflects what an experienced IT audit senior would produce — and what they would expect from a junior on their team.

Feedback is specific and professional. When you submit a finding, you are told what would survive management pushback and what would be questioned. When you submit a workpaper, you are told whether it meets the "sufficient for a stranger" standard — the same test used in Big 4 quality reviews.

  • 📖
    Weekly Q&A sessions — live, recorded, open to all questions
  • ✍️
    Workpaper and finding feedback within 5 business days
  • Management pushback simulations — practice defending your conclusions
  • 💼
    Interview preparation with "walk me through an audit you conducted" coaching
  • 📚
    Career Intelligence Library — updated weekly throughout your enrolment
Instructor-Led vs Self-Paced

Choose the intensity that fits your life.

Both tracks cover the same 8-module curriculum and produce the same 20 portfolio documents. The difference is live access and cohort pace.

Live SAP S/4HANA Access — The Auditor's View

You access the same system
as the controls team.
From the other side.

Path B trainees access the same live SAP S/4HANA 2023 sandbox as Path A — but from the auditor perspective. You are not building controls; you are testing them. You extract populations, run audit queries, evaluate what the system tells you, and determine whether the evidence you see supports or contradicts the controls team's assertions.

The key audit transactions in SAP — SUIM for population extraction, SM20 for security audit log review, RZ11 for parameter testing — are tools that IT auditors use in every engagement. Path B gives you live practice with all of them before your first real client engagement.

Transactions you run as an IT auditor
SUIM
Population extraction — active users, by profile, by role, by logon
SU01
Individual user review — roles, validity dates, user type
SE10
Transport records — Owner vs. Releaser SoD test
SM20
Security Audit Log — post-termination login evidence
RZ11
Profile parameters — password policy design test
SM37
Batch job log — IT operations testing evidence
STMS
Transport landscape — change management scope
PFCG
Role content review — authorisation object inspection
Curriculum vs. Market

Every IT Audit Analyst skill employers demand.
Every one covered in Path B.

Based on analysis of 50+ live IT Audit Analyst job descriptions across USA, UK, UAE, Australia, and India from TIB-MKT-JOB-003 (June 2026).

Skill Demanded in Job DescriptionsFrequencyPath B CoverageLesson
Audit methodology (IIA Standards)94% of postings✦ Full moduleM1
Risk assessment / audit risk model88% of postings✦ Dedicated moduleM2
ITGC testing (access, change, ops)92% of postings✦ End-to-end labM3-L4
Sampling methodology76% of postings✦ Dedicated lessonM3-L2
Evidence standards / SARA71% of postings✦ Dedicated lessonM3-L3
Walkthroughs (auditor perspective)83% of postings✦ Full moduleM4-L1
Audit findings writing (5 C's)89% of postings✦ 3 complete findingsM5-L2
SAP access controls testing78% of postings✦ Live SAP labM6-L2
Audit report writing85% of postings✦ Full report producedM7-L2
Communication to management / Audit Committee79% of postings✦ Dedicated lessonM7-L3
Who Path B Is For

The independent perspective
requires a different mindset.

Path B is for professionals who want to ask the questions — not answer them. If you want to test controls rather than run them, Path B is your track.

🔍
Finance or Accounting Auditors Moving into IT
You know how to test and document. You understand audit evidence standards and how to write a finding. Path B adds the IT and SAP technical layer — ITGC, access controls, change management — that qualifies you for IT Audit Analyst roles rather than financial auditor roles.
💻
IT Professionals Moving into Audit
You understand systems. You know what change management should look like, what access controls are supposed to do, and what constitutes a real system risk. Path B teaches you the audit methodology — how to translate that technical knowledge into formal findings, workpapers, and reports that stand up to scrutiny.
🏢
Big 4 or Firm Aspirants
Technology Risk and IT Audit practices at Big 4 firms are among the fastest-growing service lines. Path B gives you the practitioner foundation — IIA methodology, ITGC testing, SAP access auditing, findings writing — before your first day. You arrive ready to contribute, not ready to be trained.
📋
Internal Audit Professionals Adding IT Skills
You are already inside an internal audit function but working on financial or operational audits. Path B adds the IT dimension — SAP access testing, ITGC methodology, technology risk assessment — that qualifies you for IT audit assignments and broadens your professional scope.
🎓
Recent Graduates Targeting IT Audit
IT Audit Analyst roles at Big 4 firms and large corporates typically ask for CISA or CIA in progress and 1–2 years of experience. Path B gives you the practitioner foundation — and a portfolio of audit work — that makes you credible before you have the years. The audit engagement file you produce in Path B is real evidence of capability.
🌍
International Professionals
IT audit skills are globally transferable. The IIA Standards and ITGC methodology are the same whether you work in New York, London, Dubai, or Mumbai. Path B's Career Intelligence Library covers salary benchmarks and employer targets across all major markets.
Path B may not be right for you if: you want to work inside a company's controls team managing the SOX programme — that is Path A. And if you already have 3+ years of IT audit experience, the TIB Controls Lead programme (90-procedure audit suite, Domains A–N) may be a better fit for your technical depth requirements.
Enrolment Investment

Path B Pricing

Both tracks cover the identical 8-module curriculum and produce the same 20-document portfolio. Same price as Path A — same value commitment.

Self-Paced + Q&A Support
Path B — Self-Paced
Pay in Full
$597
or
Monthly
$199/mo × 4

4-month programme · enrol and start within 48 hours

  • Full 8-module curriculum with Lesson Notes
  • All 20 Lab Guides with step-by-step SAP instructions
  • All 20 Project templates with worked examples
  • Live SAP S/4HANA 2023 system access
  • Weekly Q&A sessions (recorded)
  • Career Intelligence Library — updated weekly
  • IT Audit resume templates and LinkedIn guide
  • 270+ interview questions with STAR narratives
Enrol — Self-Paced →
Most Comprehensive
Instructor-Led · Live Cohort
Path B — Instructor-Led
Pay in Full
$1,597
or
Monthly
$399/mo × 4

4-month programme · cohort-based · live sessions

  • Everything in Self-Paced, plus:
  • Live weekly sessions with lead instructor
  • Cohort peer group — go through together
  • Direct instructor access throughout
  • Workpaper and finding review within 5 business days
  • Live management pushback simulation with feedback
  • Priority career placement support
Enrol — Instructor-Led →
Not sure whether Path A or Path B is right for you? Book a no-obligation enrolment consultation.
Frequently Asked Questions

Everything you need to know
before you enrol in Path B.

Path A trains you to work inside a company — on the controls team, managing the SOX programme, preparing evidence for auditors. Target roles: IT Controls Analyst, SOX Analyst, IT Compliance Analyst. Path B trains you to work as an independent auditor — testing controls, writing findings, and communicating results to management. Target roles: IT Auditor, Internal Auditor, Technology Risk Analyst. Both programmes use the same NovaTech S.A. scenario and the same SAP system. In Path B, you are auditing the work of the controls team that Path A trainees would run.
No. Path B is designed for career changers and professionals transitioning into IT audit. Module 1 starts with the fundamentals — what internal audit is, why it exists independently, and how the engagement lifecycle works. If you have prior audit experience (financial or operational), you will find the methodology familiar and the IT and SAP layer is what you will be adding. If you have no audit background, Path B provides that foundation from the first lesson.
You can start with either path — they are independent programmes. However, if you are uncertain about which roles you are targeting, Path A gives you a broader foundation (controls team work is more common than IT audit at entry level) before narrowing to Path B's auditor perspective. Some students choose to complete both over 8 months — and the NovaTech scenario across both paths creates a uniquely comprehensive understanding of how controls and audit interact. Contact us to discuss a dual-path enrolment option.
In Module 7, you write an audit report with an overall opinion of "Needs Improvement." In the scenario, the NovaTech CFO contacts your supervisor (Sofia Andrade) and asks for the rating to be changed to "Satisfactory." You write the professional response Sofia should give. In the Instructor-Led track, this scenario is also practiced live — you and your instructor take turns as auditor and CFO, and your instructor gives you specific feedback on your handling. This is one of the highest-value exercises in Path B because it is the situation that most new auditors find most difficult in their first engagement.
Path B is not a certification prep course, but it builds substantial foundational knowledge aligned with both CISA and CIA domains. The IIA methodology covered in Modules 1–4 maps directly to CIA Part 1 and Part 2 content. The IT audit testing methodology maps to CISA Domain 2 (IT Governance and Management) and Domain 3 (Information Systems Acquisition, Development and Implementation). Graduates of Path B typically find CISA and CIA study material significantly more accessible than peers who have not had practitioner-level IT audit experience.
Based on TIB-MKT-JOB-003 (June 2026): entry-level IT Audit Analyst roles range from $60,000–$85,000/year in the USA, £38,000–£55,000 in the UK, and $65,000–$115,000 (tax-free) in the Gulf. Big 4 Technology Risk Associate roles typically start at $75,000–$95,000 in major US cities. SAP and S/4HANA experience commands a premium. Full regional salary data is in the Career Intelligence Library.
Most IT audit courses teach methodology in theory — they describe what a walkthrough is, what SARA means, how to select a sample. Path B applies every concept in a live SAP environment with a consistent NovaTech S.A. scenario throughout. You don't read about how to evaluate evidence — you receive evidence from the NovaTech controls team and decide whether to accept, reject, or request supplementary material. You don't read about how to write a finding — you identify exceptions in your own SUIM extract and write the finding in 5 C's format. The portfolio you graduate with is the difference between knowing the methodology and being able to demonstrate you have applied it.
Yes — contact us at admin@tib-systems.com. Switching is possible up to the end of Module 3. You pay any applicable difference and all submitted work carries over. Some students start Path B and realise they prefer the controls team perspective — this is a valid reason to switch, and the NovaTech familiarity from Path B makes Module 1 of Path A significantly easier.

Your first audit finding starts
with your first lesson.

Enrol in Path B today. Within 48 hours you will have access to the NovaTech S.A. SAP system, your Audit Planning Memo template, and your first Lab Guide. By the end of Week 1 you will have produced your first professional audit document.

Enrol in Path B → View Path A Instead ← All Courses
© 2026 TIB Systems Llc. · Path B — IT Audit Analyst · Atlanta · Hyderabad · RAK
All Courses Path A Library Contact