Career path for IT auditors..?

Big-JJ

Hi guys,

I majored in accounting/MIS back in university. My initial plan was to get CPA and become a business auditor. It is just that I happened to get myself into IT audit right after my university.

I have been working as an IT auditor for 4 years now. And I started wondering….what career path is out there for IT auditors?

Someone told me that audit is a road to get into management. This is the biggest reason why I got myself into audit profession. Is this true? Or have you guys seen this happening for IT auditors that you know of?

I am a bit lost on my career path at the moment. So any advice will be appreciated

Thx.

GoodBishop

Big-JJ wrote: »

Hi guys,

I majored in accounting/MIS back in university. My initial plan was to get CPA and become a business auditor. It is just that I happened to get myself into IT audit right after my university.

I have been working as an IT auditor for 4 years now. And I started wondering….what career path is out there for IT auditors?

Someone told me that audit is a road to get into management. This is the biggest reason why I got myself into audit profession. Is this true? Or have you guys seen this happening for IT auditors that you know of?

I am a bit lost on my career path at the moment. So any advice will be appreciated

Thx.

I worked as a IT auditor for 2 years before becoming a GRC manager. It's a interesting profession. I wouldn't be where I am today had I not done my time as a auditor. It's worthwhile, though it might not seem like it initially.

paul78

Yeah - I would agree with GoodBishop. I know a few folks that went into governance from IT auditing. I also know a few that have made a career of auditing. In financial services, at least, qualified third party assessors will probably be in demand for a bit. These individuals are usually part of the risk management or vendor management function.

BTW - the other path is in compliance. I know a few folks that moved into the audit management role - essentially the individuals that deal with third party assessors and auditors.

blargoe

How would the pay for this type of position compare to, say, an experienced systems admin?

This is something I have thought about looking into if/when I start burning out from the roles that I have been working.

GoodBishop

blargoe wrote: »

How would the pay for this type of position compare to, say, an experienced systems admin?

This is something I have thought about looking into if/when I start burning out from the roles that I have been working.

There are a lot of variables to your question.

If you are a normal sys admin, I would say the pay for a IT auditor would be slightly higher at the same level position. If you are a deeply specialized sys admin with experience, then your pay will be higher than the IT auditor. If you are a IT audit manager though, I have seen those salaries be higher than normal IT manager salaries. For example, IT auditors and IT audit managers with the CISA typically make around 70k for entry level to 125k for the good IT audit managers with experience.

I would say go into management, yet keep your technical skills sharp. There's a lot more to being a manager - leading teams, encouraging people, gathering consensus, politics, leading by example, communicating, plus all the HR stuff like performance reviews. All of that is a skillset that won't go out of favor. Plus if you can add the non-technical stuff like running IT audits, it's good stuff.

GoodBishop

One note, for those 70k entry level positions, they typically require a B.S. in IT/Accounting/MIS + 4-5 years of IT audit experience, plus a CISA. So it's not like it's truly "entry level", but that's where you start out at.

I know a recruiter who posts this sort of stuff:

RECENT PLACEMENTS:
• IT AUDITOR – w/Fortune 200 CO in Chicago $75K + bonus
• IT AUDIT SR – w/multi billion dollar company in Chicago $90K + bonus
• IT AUDIT SR – w/Fortune 500 company in Chicagoland $80K + bonus
• IT AUDIT STAFF – w/Fortune 500 company in Chicagoland $65K + bonus
• AUDIT MANAGER – w/top CPA firm in the country located in Chicago $130K + bonus
• AUDIT MANAGER – w/Fortune 500 company in Chicago-land $115K + bonus
• SR FINANCE MANAGER – w/top financial services firm in Chicago-land $120K + bonus
• IT AUDIT SENIOR – w/Fortune 500 company in Chicago-land area $90K + bonus
• SR AUDITOR – w/top financial services firm in Chicago $75K + bonus
• SR ACCOUNTANT - SEC Reporting w/top financial services firm in Chicago $70K + bonus
• 3 AUDITORS – w/Fortune 200 company $65K + bonus

pinkydapimp

GoodBishop. What is a good cert to add that is focused on GRC. I have my CISSP. however, i don't see too many certs that focus specifically on that.

GoodBishop

I would say the best two would be the CISA and the CGEIT. CISA for auditing and validation, and the CGEIT for general governance.

There are other GRC certifications here - GRC certification and education for governance, risk management, internal audit and compliance professionals | GRC Certify - but they don't have the ROI and respect that the CISA and CGEIT does.

Big-JJ

GoodBishop and paul78…thanks for the informative replies.

I am actually at a crossroad. I am trying to decide if I should stick to IT audit or transfer to business auditor within internal audit team.

The primary reason that I got myself into audit profession is that it is a road to management. I have seen it many times for business auditors. Their career path is business auditor, senior auditor, manager, controller and some C-level position. Many audit managers have transferred to either senior or some C-level position over the years…(and of course, they all have CPAs)

But I am not too sure about IT auditors. I have never seen ppl moving to senior level of IT management before. And I don’t want to be stuck in IT audit. I am seeing audit career as more of a stepping stone for my next career.

So, I was thinking of switching to business audit. My experience with IT audit has not been fulfilling. I feel like I am doing the work that does not add any value or no one really cares and produce the audit report that no one really looks at. That has been my experience with IT audit.

I have dealt with external auditors from consulting firms too. From my experience, man...they don’t really know what they are talking about when it comes to auditing IT systems. They just blindly follow checklist and framework (e.g., why the hell are accountants auditing IT systems?)…and asking for evidence that does not mean a ****. I have seen IT professionals laughing at the reports that they produce and just throw it away.

I am not that technical. However, I took some technical course so that I know what things are and how they work to a degree that is sufficient for IT audit. (e.g., I don't know how to configure and secure a router but I do know what command I should used to pull up the security settings and where to look etc). I was reading CCNA/CCNP books to improve my knowledge but I realized that you don’t really need to know all the stuff to be an IT auditor. Am I wrong…?

If I transfer to business audit I get to see the whole picture…business and IT and how they interact with each other. I think this makes me more valuable rather than just knowing IT. The pay for business auditor might be lower and it will take some time to get a CPA.

Or stick with IT audit, become a senior IT auditor first, and find a managerial position in IT later.

So, GoodBishop

• Were you experiences with IT audit similar as mine?
• What do you do as a GRC manager? And what are the skills required? (technical?)...It seems GRC is what audit, risk and compliance rolled into one

seccie

If I may add my two cents here - I've been there and done that, Big-JJ.

I didn't change at the right moment, and got stuck in the IT audit. I passed CISSP and CISA. After that I changed to an IT sec consulting company, but it doesn't make really sense in terms of income/workload ratio. IT audit pays better, requires less personal sacrifices and offers more job security than consulting. Now I'm back at IT audit and don't see any sensible change opportunity - except going into management which is not such a family-friendly career. I decided for myself to work some years more, invest a big chunk of my income wisely and to semi-retire after that.

Big-JJ

Thanks for sharing your experience seccie...Did you mean you should have changed when you had a chance?

paul78

@Big-JJ - it sounds from your posts that your ultimate goal is to enter management. While it's probably a bit more challenging to reach senior management roles with an IT audit background because there are so few of those roles. It's not impossible. Getting into management and progressing upwards is sometimes more about actual management talent and business aptitude than actual technical background.

I personally am not one to force a career path. If getting a CPA doesn't seem natural to you, you may want to reconsider.

seccie

Big-JJ wrote: »

Thanks for sharing your experience seccie...Did you mean you should have changed when you had a chance?

it depends, Big-JJ, if you have already an idea of what you want to do in the future.

option 1: you want to progress into a management position. Stay at IT audit and do some politics / networking at your company. If your company seems to not appreciate your wish (e.g. they put you into a "management development program" which you suppose to be a neverending story) consider changing company.

option 2: you want to be more technical. Difficult option as tech positions usually pay less than IT audit. I'd suggest you make your speciality auditing systems / data centers / etc. and stay in IT audit. Or bite the bullet and accept the pay cut.

option 3: you want to be self employed one day. Security consulting seems to be the way to go.

option 4: (yours truly's choice) you want the money, not the career. Stay in the IT audit and try not to get fired. Invest a big chunk of your income.

option 5: you don't know what you want. Stay in the IT audit and make some certs in areas you think you like. Talk with people who do these jobs, but still don't change from IT audit, till you're 100% sure. Getting back is harder than getting in the first time.

I hope I could help.

GoodBishop

Big-JJ wrote: »

GoodBishop and paul78…thanks for the informative replies.

I am actually at a crossroad. I am trying to decide if I should stick to IT audit or transfer to business auditor within internal audit team.

The primary reason that I got myself into audit profession is that it is a road to management. I have seen it many times for business auditors. Their career path is business auditor, senior auditor, manager, controller and some C-level position. Many audit managers have transferred to either senior or some C-level position over the years…(and of course, they all have CPAs)

But I am not too sure about IT auditors. I have never seen ppl moving to senior level of IT management before. And I don’t want to be stuck in IT audit. I am seeing audit career as more of a stepping stone for my next career.

So, I was thinking of switching to business audit. My experience with IT audit has not been fulfilling. I feel like I am doing the work that does not add any value or no one really cares and produce the audit report that no one really looks at. That has been my experience with IT audit.

I have dealt with external auditors from consulting firms too. From my experience, man...they don’t really know what they are talking about when it comes to auditing IT systems. They just blindly follow checklist and framework (e.g., why the hell are accountants auditing IT systems?)…and asking for evidence that does not mean a ****. I have seen IT professionals laughing at the reports that they produce and just throw it away.

I am not that technical. However, I took some technical course so that I know what things are and how they work to a degree that is sufficient for IT audit. (e.g., I don't know how to configure and secure a router but I do know what command I should used to pull up the security settings and where to look etc). I was reading CCNA/CCNP books to improve my knowledge but I realized that you don’t really need to know all the stuff to be an IT auditor. Am I wrong…?

If I transfer to business audit I get to see the whole picture…business and IT and how they interact with each other. I think this makes me more valuable rather than just knowing IT. The pay for business auditor might be lower and it will take some time to get a CPA.

Or stick with IT audit, become a senior IT auditor first, and find a managerial position in IT later.

So, GoodBishop

• Were you experiences with IT audit similar as mine?
• What do you do as a GRC manager? And what are the skills required? (technical?)...It seems GRC is what audit, risk and compliance rolled into one

So first of all, from a happiness standpoint, you should do what you enjoy. I've known accountants who love accounting, and I've known IT auditors who are lifers - they love the stuff. From a general happiness perspective, I would suggest finding out what interests you more - IT auditing or financial auditing, and then focus your time and energy toward that.

For my experiences in IT audit, prior to working in a internal audit department, I had about 7 years of tech experience, and had done a few client engagements (nothing fancy, just one or two SOX items - but enough to get the CISA). But I really didn't have a idea of how audits were supposed to really work. I knew the how, but not the why. So for my first year working in a IA department, it was painful. I mean, really painful. I was treated as a entry level staff-person, yet had like 7 years experience and 14 IT certs, including the CISSP, CISA, and CISM. Yeah. So I struggled that first year learning the concepts, and adjusting. The conversations that I had with my wife for months (stretching on to years) went something along the lines of: "Work sucked today." "Do you want to talk about it?" "No."

It felt like mind-numbing work. Admittedly, my Excel skills skyrocketed. But the rest of my skills atrophied.

The second year though, I have to say, I enjoyed it a bit more. I understood the why. I was able to translate that skillset into several successful audits, including some obscure IT intellectual property and software development audits. It was more interesting. I still disliked what I was doing, mostly because I knew I was capable of so much more (I mean really, there's only so much I can enjoy looking through hundreds of access requests/help desk tickets PDFing them and looking for mistakes). I still was dealing with no career path at that job as well as other items that made me look elsewhere.

So I can feel your pain a bit. I'm not sure I could have lasted 4 years at the job that I was at. Maybe if it was a different company with a different culture, it would have been better.

I moved to a GRC manager position after the entry-level IT auditor position, and it has been like night and day. I enjoy what I do. I work hard. I am dealing with constantly changing issues. I'm running programs, not just projects. I have the authority to say "No, you need to do this, this, and this, because of these reasons.", and folks say, OK. I am respected for the work that I do and what I bring to the table, and I like that.

For your comment around the road to management, I used to work in a accounting firm prior to working in a internal audit department, so I know what you're seeing - yes, a lot of accountants do take that path. Get the CPA, do a few years of accounting or audit, then move to be a controller or other high level position. But for every accountant that I know who does that, there are at least five others who don't make it. And yeah, everyone I know who made that jump had a CPA, a MBA/MS in Accounting, and over 7 years of experience doing that sort of stuff. So that's top notch stuff. I am taking graduate level accounting and finance courses right now for a MBA in Finance, and I have to tell you, that is a TON of stuff that you need to know to be a CPA. I have a sister in law who just passed exam 3 of 4 for the CPA, and she's been constantly studying for a year now - it's a lot of study.

One note - I have seen folks who worked in normal audit move to IT audit, and then take director-level positions in internal audit and IT security. So it is possible. Same with seeing folks who are in IT audit move to director level for IT security, as well as internal audit.

For switching from IT audit to business audit, and this is my own opinion here in this sentence... I think it's the same grass, even though it might look greener on the other side. You should do what you enjoy, that's my opinion.

External auditors - yeah. I've dealt with good ones and bad ones. The bad ones didn't have a clue. The good ones really added value to the process. It's a toss up.

Do you need to read the CCNP books to be a IT auditor? No. But the knowledge that you gain will help you be a better IT professional, a better IT auditor, and a more knowledgeable person overall. But I would say it's important to have a commitment to continuous learning - that's the real key to not only being a better IT auditor, but a better employee and professional. What are you doing to stay relevant, whether it be IT audit or normal audit. That's the question.

For the skills required for a GRC manager, I have to have a deep knowledge of control frameworks (ISO27001, PCI, COBIT, etc). I have to have a deep enough technical knowledge that I not only can talk with the network engineers and security architects about certain requirements, but also offer solutions and pick out details that they might have missed. For example, I am in our Active Directory Security Group - I have to have (and have) a deep knowledge of how AD works, as well as the security and governance considerations. Gosh, there's a ton of skills that I have to have - dealing with vendors, dealing with internal politics, helping prioritize a agenda that meets the strategy of our organization, dealing with sensitive situations, building a security program, being aware of the latest laws and regulations that we have to follow... yeah. Plus there's the people and managing side of things. I have to be able to change the hearts and minds of folks at my level by being a expert in what I do, as well as constantly deliver quality work and deliverables. One day I'm talking with the DBAs around Oracle Security, the next day I'm discussing the privacy implications with Legal about certain marketing campaigns and IT vendors.

I definitely enjoy it. It keeps life interesting.

I think there was a question around career path. I would say for me, I plan to finish my MBA next year (two thirds done already!), knock out more certifications, and then shoot for the Sr. Mgr/Director/Sr. Director positions after a appropriate amount of time, once I've gained the experience for that position. I am definitely taking control over my own career path though - I'm not letting it just idle by. Also, one option I might consider going for is Chief Security Architect - which I've seen requires at a minimum MBA, CISSP, and CCIE. So I'd have to get the CCIE. Which would be a ton of work, but it would be worthwhile. And folks who have that - I've seen the salary be around 240k plus bonus.

I've also thought about getting either a MS or a PhD in Information Assurance once I finish the MBA, but I might take a break for a year - it would be nice to have date night again. Maybe I could teach after I got that - that could be kinda cool. Give back, as it were.

Big-JJ

Hey GoodBishop, Thank you for your kind reply. Appreciate it

blargoe

Those are some good insights, GoodBishop.

My technical experience is unusually broad (messaging, database, server operations, firewall management, storage, virtualization - including implementation, security, and compliance across the board), and I spent a couple of years on the IT Audit self-testing team at my last job because the management felt I had the analytical skills and broad technical acumen to be a good fit on that team. So that is why I figured if I hit a brick wall with my current career path, I would probably do OK in IT Auditor track.

bharatkh

Hi all,

i m an it auditor with 5 years of work ex... my core areas have been auditing high transaction systems.. so my forte is data analytics in audit...

where do u think this can take me forward ? i dont really njoy auditing and want to join operations in marketing or sales.. i feel that people from audit can never become CEO of a company as they have nt been in operations...

specially from it audit... maximum u can reach is being an CISO.. position wich many cos do not have..
Let me no ur thots in this...

bharatkh

i think u r right in a sense that it audit has a limited scope to rise.... audit is traditionally an accountant job.. although of u have dual knowledge of IT and finance.. sky is the limit

phuongtx1

This thread was long time ago, I am not sure if all of you still login this page or not?
If anyone see the noti, please update your career path now for new IT Auditor.
Thank you so much!

scasc

Hours are standard - 9-6 usually, no need for rotation here. Only if you work in Big4 and in the assurance/audit department you will have something called "busy season" which is usually Sept-Jan where the hours can be notorious like IB. But I would avoid this and work in industry. Work is heavily geared towards risk assessments, checklists, policy reviews etc. So mostly spreadsheet work to do working papers and analysis with Word being used to write up report.

The work entails undertaking either risk/compliance/audit assessments against a framework (such as ISO, PCI) etc) or policy/standards of company and determining gaps and risks against those gaps. So lots of paperwork, research etc. Not for everyone but certainly a decent career. 

I think working in Cyber Risk is pretty consultative so you are on projects (like take a vendor developing piece of software) so you get to ask the most pertinent questions and found gaps to security practices defined above. E.g. Following OWASP coding standards, code scanning via DAST/SAST, encryption ciphers for data handled in transit etc.