The security audit field is very broad and fortunately audit activities aren't restricted to just internal/external audit groups. In fact, you could consider pen testing activities to be an audit or assessment activity. There are also ample opportunities to implement control self-assessment activities in many organizations due to the ever-increasing regulatory requirements that a lot of businesses face.
My advice would be to perform comprehensive research on the topic and really decide what path you want to take (maybe both?
CISA focuses on the audit process and audit considerations, but is fairly high level when it comes to the technical details of assessment. The CEH training along w/ your IT background would be a good complement in designing test plans and performing analysis during fieldwork (also check out the IAM).
The job market seems to be good for IT auditors nowadays, especially those w/ security backgrounds. A piece of advice for college grads and others going in to IT - consider a few years with an internal IT audit group. You will get a broad view of the corporation and their IT functions, get in front of higher level people (great networking opportunity for the future), and hopefully learn about IT governance and how the business objectives should drive IT decisions.
I spent a little over a year in an IT audit shop after 4 years of security engineering work. I won't lie, the work was fairly mundane due to various constraints of the business - it all depends on what type of auditing you're allowed to do. It was, however, a great opportunity to round out some rough edges in terms of risk and control - very valuable experience in the security consulting work that I am now doing.
Last edited by mdschmid on Tue Sep 25, 2007 9:20 am, edited 1 time in total.