“Are IT audits usually their own full engagement? Or are IT specialists brought in to back up the financial auditors for stuff like IT control walkthroughs/testing?”
IT audit is short for IT Risk Assessment at EY. They're technically advisory, bu they do back up audit teams in doing IT walkthroughs and testing ITGCs. However, they also do their own separate engagements for publishing SOC 1 or SOC 2 reports for instance. But that's all I know about their engagements.
“I feel like a financial auditor who knows what they're doing could at least handle the IT controls of a client, unless they're undergoing a complex system migration or something”
I was an auditor for three years, and I don't know the first thing about IT audit. Not the methodology and not the actual procedures. I reviewed their work and understand the concepts at a high level. But F' if I knew anything about actually doing them.
And you mentioning about doing both jobs…At least in the Big 4, I just don't see how. I mean that's duplicate training, duplicate HR structure (because you are now in advisory as well), possibly (not 100% on this actually) independence issues for public companies (because you are now in advisory as well), and you have to split time between IT audit and real audit. Which, I don't see how it's possible, seeing that as a Senior you're up to your eyeballs in work with just being in audit.
I mentioned the data analysis team EY had? Yeah, I was part of that. And the main reason it's basically dead is because auditors, the people meant to be that role, had no time either on the part of the CDA (“certified data analyst”) or on the receiving part of the audit team needing help. The training was also subpar because they crammed everything into one 3 day session because auditors don't really have time for their own training and other complete training in a whole separate skill.
Anyhow, not saying that you should forget about your thoughts on IT audit. My suggestion is this, do a year of regular financial audit. At the same time, little by little, study up on the CISA and learn more about what IT audit actually does. After your first year is over then you can evaluate if you want to stay put or transfer. If you want to transfer take the CISA, talk to your firm mentor about your desire, and you'll probably be able to transfer after your second busy season if you have good ratings. It's a pretty common occurrence to be honest.