IT Audit & Risk Assurance: What do I need to know?
UnixGuy
Mod Posts: 4,509 Mod
This is a generic question for a generic title, but for those of you with experience in the field, what do I need to know to succeed in a role that involves IT Audit & Risk Assurance? The role is for an audit firm (big 4) so it's a customer facing.
I have customer facing skills and communication skills. They seem to ask for CISA so I think I'll do this exam soon.
But IT audit wise, what do I need to know? What I know so far, I have done security assessments for projects before, I understand technology and business very well. I've been involved in ISO27001 stuff, but it was straightforward.
Help UnixGuy become AuditGuy
I have customer facing skills and communication skills. They seem to ask for CISA so I think I'll do this exam soon.
But IT audit wise, what do I need to know? What I know so far, I have done security assessments for projects before, I understand technology and business very well. I've been involved in ISO27001 stuff, but it was straightforward.
Help UnixGuy become AuditGuy
Certs: GSTRT, GPEN, GCFA, CISM, CRISC, RHCE
Check out my YouTube channel: https://youtu.be/ug_ruisDUXc
Comments
CISA and the other ISACA certifications are going to be useful...and then vendor certs if you have responsibilities to audit technical security.
@TechGuru: Learning the other frameworks, do you mean trying to get an opportunity to do audit work related to those frameworks? because I find reading about the frameworks isn't very helpful as the documents can be very dry.
Until I get a job opportunity where I can perform the tasks related to the frameworks, I need to find ways to improve my skills. Perhaps I should do CISA
Audits are based on adherence to a standard so understanding certain standards like PCI and SOC2 would be helpful if you want to work for a big 4 since that's typically the type of audits they perform.
If you think that the material is dry, you will probably find ISACA materials to be equally as dry - after-all - it's material developed and written by auditors
Second, don't just be the checkbox auditor. Just about everyone wants the checkbox and honestly it hurts them to be that way. If company's followed and put in the effort to be more than a checkbox security frameworks would actually work. I always did my best to say "yes this would be compliant, but the spirit of the regulation is aiming for x,y, and z. To that end it will protect you more if you did it this way." You won't get everything, but meeting in the middle is great for everyone.
Your biggest advantage will be your technical knowledge. I garnered a lot of respect from the IT departments because I knew what they were facing technically and from a business standpoint. On my side, it allowed me to tell management what timelines were feasible. They didn't always love it, but they knew if I was saying it then it was what it was. Good luck!
PHP
Kotlin
Intro to Discrete Math
Programming Languages
Work stuff
This is a very valid question, and a bit difficult to explain now as I haven't got the job yet. But in summary, I lost on a couple of very senior leadership positons due to my lack of audit/3rd party assurance/risk experience. There is another factor, I may be presented with an opportunity to work for fewer hours..Still negotiating so it's all in the air.
TL;DR , for personal reasons, I will write about it soon
So here's what I need to do:
1) Sign up for the ISACA CISA exam
2) Start Reading about frameworks.
Last questions....The best resource to read about the frameworks? Any links? PDFs? Videos?
The best way to absorb and become an expert on the frameworks?
I think I'll start with ISO 27001 since it's the one I'm already familiar with...any ideas where to start?
Thanks again!
Most of the big 4 audit teams that I come across have very little to no hands-on technical background. It doesn't make them bad as auditors but it can sometimes be slow going to have to explain how something actually works.
PCI has the most prescriptive standard and it's freely available so you may want to start there. Start with these documents.
https://www.pcisecuritystandards.org/document_library?category=pcidss&document=pci_dss
As you mentioned - ISO 27000 family is good too - but the standards are not free - if you plan to buy them - I would suggest starting with these 3:
https://www.iso.org/standard/73906.html
https://www.iso.org/standard/54534.html
https://www.iso.org/standard/54533.html
Both 27001 and 27002 are about 5 years old so I don't know if there is a draft in the works.
Also - since you are interested in working at a big 4. I am guessing that SOC2 audits are a big part of their business.
IIRC - you are in Australia - I recall that SOC reports are used in Australia even though it's a US accounting standard.
https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/sorhome.html
If companies in Australia prefer ISAE reports - you could check out the IFAC website - https://www.ifac.org/publications-resources/staff-overview-international-standard-assurance-engagements-isae-3402-assuran
Bear in mind that these are accounting standards - most audit standards are developed by accountants - including the ones commonly used in security. Probably why you are finding the materials so dry
I don't think that Australian companies care about NIST standards but those standards are freely available. The 800 series are the relevant ones - https://csrc.nist.gov/publications/sp800
I'm surprised to hear that senior leadership positions favor people with audit backgrounds. That's a bit different than what I'm used to seeing in financial services here in the US.
Good luck.
you said most Big 4 auditors are not technical....hey maybe I'll be the exception? again I've got nothing so it's all up in the air now
If you are looking to get into senior leadership, you may also want to familiarize yourself with governance and risk concepts. Check out the COSO framework and Cobit 5. If you joined ISACA to take your CISA, I think you should be able to get the COBIT materials as part of your membership.
Within IT Audit and Risk Assurance you have multiple sub teams auditing and validating controls against whatever standard, framework or policy is being assessed against. This usually means checking 2 things - design effectiveness of controls (i.e. does the control adhere to the standard/policy) and 2) operating effectiveness - proving this is the case (for example say design effectiveness states that there is only 1 admin as per policy the latter would then enable you to take a screendump of the configuration to prove that only 1 account is within this admin group etc.
Usually IT Auditing checks 3 things - change management, logical access and IT operations (i.e. The so called general controls). When you work in security auditing it usually means auditing against a standard (this could be as mentioned previously 27001, or using 27005 risk assessment methodology to vouch for the 27002 list of controls, if data centre auditing then leveraging SOC 3 for instance etc).
A lot of interviewing, collecting information, understanding the risks against compliance due to weak controls, testing and picking samples as well as the key thing - writing that magic report which brings it all together and justifies the big 4's astronomical fees
Plenty of jobs in this area and will never die down due to its inherent nature of reporting to the audit committee which reports directly to the board (thus audit is an independent function).
Having technical skills definitely helps as you can probe on some deeper technical questions. But its not a role where you use tools to find common weaknesses in your OS's, network devices etc - even though the tools help tremendously.
Hope this helps.
A lot of it is customer facing, having exposure to different business areas and also exposure to interacting with top Senior management like your CISOs, CROs, COOs.
Hope this sheds more light into what you are asking for.
Currently Studying: ISSAP / Python
"Be silly. Be fun. Be different. Be crazy. Be you, because life is too short to be anything but happy." - Anon
Certainly if you stay, be patient and progress your career in this area and reach Partner level - then the world is your oyster. Substantial six figure salary.
On another note, manoeuvring and working your way up the big 4 is an effort by itself. Network with the right people, attend all these events, drinks, BD, proposals etc. And have great relationships with these senior folks - even if it means having reguar catchups so they get to know you really well. By having this you can always gain feedback and ask what to do to progress, gain promotion etc and partners will always want to share this if they have built the relationship with you.
If someone told me many years back, would have been worth its weight in gold.
Best of luck as working and progressing in the big 4 is a massive commitment by itself - you have to go beyond the work you do. Everyone has had different experiences I can only speak for myself but if you do the above you should hopefully progress and get the interesting projects. Maybe a secondment abroad too....
The catch is, I'm already on six figures+. The reason I'm negotiating a position in big4 is because they offered a part-time opportunity...this will give me a day or two off per week which will allow me to work on personal stuff.
Partner sounds awesome, but the exit opportunities from big 4 are awesome as well. I know many CIOs / CTOs / CEO's who were ex- big 4, so there is that opportunity!
Who knows..guess I'll know in the next couple weeks
Partner salaries are in excess of $500,000 - its a partnership so they share the profits made by the firm too
wow that's a lot of money!!
The position I'm negotiating is 'Manager'...However, I just saw a position that I qualify for that is 'director'...the salary difference between the two is not huge...
So it's about having established relationships already which will enable you to get a director level role. If you have this, fantastic, if not try going in at Senior Manager which will allow you to build this up with a view to then being on a path to director. That way you can still show your worth by being chargeable (i.e. the hands on audit work) and at the same time build on your contacts in industry.
Hope this helps...
Would you say its a lot of excel? And excel skills need to be tip top?
Mind me asking why you say unfortunately? Are they tough to work for? Reason being i have a potential cyber consultant interview with one of the big 4 soon. Wouldmy time be best spent at another company? Also, how do they differ to a "regular" company?
That sounds like something I'd really enjoy! I love sales!
Also in regard to why I said unfortunately
How they differ depends on what you want to compare them against. If its against another consultancy (systems integrator or technical consultancy such as Accenture/IBM etc) then the big 4 will do the typical controls review/assessment work. These other consultancies will do the hands on deployment, design, analysis etc. Big 4 will do the assurance to ensure the project is managed well/on time/controls deployed approrpriately, raise risks and present report to management. So its less hands on. Now I know they are looking to get more advisory work and not assurance however if you want hands on project work a systems integrator is the way ahead I think. Much more exposure. Because if you join and you dont have work on, they will put you on an audit project as this is their bread and butter - then it may get a real headache.
@UnixGuy - Fantastic!. Perfect for you hopefully.
@scasc this one is with Deloitte, Risk Advisory - Cyber Security - Senior Consultant
Hope this helps.