IT Audit & Risk Assurance: What do I need to know?

This is a generic question for a generic title, but for those of you with experience in the field, what do I need to know to succeed in a role that involves IT Audit & Risk Assurance? The role is for an audit firm (big 4) so it's a customer facing.

I have customer facing skills and communication skills. They seem to ask for CISA so I think I'll do this exam soon.

But IT audit wise, what do I need to know? What I know so far, I have done security assessments for projects before, I understand technology and business very well. I've been involved in ISO27001 stuff, but it was straightforward.

Help UnixGuy become AuditGuy

Find more posts tagged with

Comments

Ertaz

when-you-seethenew-hires-dont-do-it-during-orientation-kera-6225738.png

TechGuru80

Learn the other frameworks...NIST 800 series, PCI, COBIT, GDPR, HIPAA, etc. If it were me I would try to exposure to all of them to make yourself valuable. Project management skills, and writing skills are going to be critical because you are going to generate a lot of artifacts/reports and then present them at times.

CISA and the other ISACA certifications are going to be useful...and then vendor certs if you have responsibilities to audit technical security.

UnixGuy

@Ertaz I have no idea what the meme is supposed to mean, sorry didn't get the joke lol. Did you mean for me not to do Audit work?

@TechGuru: Learning the other frameworks, do you mean trying to get an opportunity to do audit work related to those frameworks? because I find reading about the frameworks isn't very helpful as the documents can be very dry.

Until I get a job opportunity where I can perform the tasks related to the frameworks, I need to find ways to improve my skills. Perhaps I should do CISA

paul78

I'm curious why you would be interested in doing audit work - especially for a big 4 consulting business. From your previous posts, I would have guessed that you would find audit work to be entirely boring and uninteresting.

Audits are based on adherence to a standard so understanding certain standards like PCI and SOC2 would be helpful if you want to work for a big 4 since that's typically the type of audits they perform.

If you think that the material is dry, you will probably find ISACA materials to be equally as dry - after-all - it's material developed and written by auditors

. And it's typical of audit work.

TechGuru80

UnixGuy wrote: »

@TechGuru: Learning the other frameworks, do you mean trying to get an opportunity to do audit work related to those frameworks? because I find reading about the frameworks isn't very helpful as the documents can be very dry.

Until I get a job opportunity where I can perform the tasks related to the frameworks, I need to find ways to improve my skills. Perhaps I should do CISA

If you can get experience using the frameworks that helps but reading them and knowing how to navigate them is very important as it's not like a technical exam where you practice a lot of commands...if you cannot speak to major frameworks (at least 2), you probably aren't going to get anything more than a very junior role. Unfortunately, with auditing you will have to read a lot about the frameworks, constantly refer back to them, and many other "very dry" tasks. As an auditor, you are extremely unlikely to be hands on keyboard and instead focus a lot on processes and procedures, so if going through the frameworks is boring and dry enough to scare you off then you probably shouldn't become an auditor.

the_Grinch

I've worked on the regulatory side (which is still auditing) and I'd say there are two things you should do/know. First, this is obvious, know the framework you will be using inside and out. You are the expert and when asked questions people typically expect an immediate response. The first month of my position I literally read our regulations. It was very boring and I thought to myself "what did I sign up for?". But within several months there wasn't a question I didn't have an answer for. To that end, whenever possible know the why behind the framework. No one likes audits, but my experience has been when you can explain the why behind it people go with it more easily.

Second, don't just be the checkbox auditor. Just about everyone wants the checkbox and honestly it hurts them to be that way. If company's followed and put in the effort to be more than a checkbox security frameworks would actually work. I always did my best to say "yes this would be compliant, but the spirit of the regulation is aiming for x,y, and z. To that end it will protect you more if you did it this way." You won't get everything, but meeting in the middle is great for everyone.

Your biggest advantage will be your technical knowledge. I garnered a lot of respect from the IT departments because I knew what they were facing technically and from a business standpoint. On my side, it allowed me to tell management what timelines were feasible. They didn't always love it, but they knew if I was saying it then it was what it was. Good luck!

UnixGuy

paul78 wrote: »

I'm curious why you would be interested in doing audit work - especially for a big 4 consulting business. From your previous posts, I would have guessed that you would find audit work to be entirely boring and uninteresting.

...

This is a very valid question, and a bit difficult to explain now as I haven't got the job yet. But in summary, I lost on a couple of very senior leadership positons due to my lack of audit/3rd party assurance/risk experience. There is another factor, I may be presented with an opportunity to work for fewer hours..Still negotiating so it's all in the air.

TL;DR , for personal reasons, I will write about it soon

UnixGuy

Thanks everyone!!!

So here's what I need to do:

1) Sign up for the ISACA CISA exam

2) Start Reading about frameworks.

Last questions....The best resource to read about the frameworks? Any links? PDFs? Videos?

The best way to absorb and become an expert on the frameworks?

I think I'll start with ISO 27001 since it's the one I'm already familiar with...any ideas where to start?

Thanks again!

paul78

the_Grinch wrote: »

Second, don't just be the checkbox auditor. Just about everyone wants the checkbox and honestly it hurts them to be that way. If company's followed and put in the effort to be more than a checkbox security frameworks would actually work. I always did my best to say "yes this would be compliant, but the spirit of the regulation is aiming for x,y, and z. To that end it will protect you more if you did it this way." You won't get everything, but meeting in the middle is great for everyone.

Unfortunately - in my experience, that how auditing usually works. It's checkbox based - and even more so since we are talking about external auditing. Which always amuses me since an auditor is suppose to render an opinion. Internal risk assessments or perhaps third-party risk assessments tend to be more useful imo - especially if the assessor is willing to render an opinion or at least offer insights.

Most of the big 4 audit teams that I come across have very little to no hands-on technical background. It doesn't make them bad as auditors but it can sometimes be slow going to have to explain how something actually works.

UnixGuy wrote:

any ideas where to start?

PCI has the most prescriptive standard and it's freely available so you may want to start there. Start with these documents.
https://www.pcisecuritystandards.org/document_library?category=pcidss&document=pci_dss

As you mentioned - ISO 27000 family is good too - but the standards are not free - if you plan to buy them - I would suggest starting with these 3:
https://www.iso.org/standard/73906.html
https://www.iso.org/standard/54534.html
https://www.iso.org/standard/54533.html

Both 27001 and 27002 are about 5 years old so I don't know if there is a draft in the works.

Also - since you are interested in working at a big 4. I am guessing that SOC2 audits are a big part of their business.

IIRC - you are in Australia - I recall that SOC reports are used in Australia even though it's a US accounting standard.
https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/sorhome.html
If companies in Australia prefer ISAE reports - you could check out the IFAC website - https://www.ifac.org/publications-resources/staff-overview-international-standard-assurance-engagements-isae-3402-assuran

Bear in mind that these are accounting standards - most audit standards are developed by accountants - including the ones commonly used in security. Probably why you are finding the materials so dry

I don't think that Australian companies care about NIST standards but those standards are freely available. The 800 series are the relevant ones - https://csrc.nist.gov/publications/sp800

I'm surprised to hear that senior leadership positions favor people with audit backgrounds. That's a bit different than what I'm used to seeing in financial services here in the US.

Good luck.

UnixGuy

Thanks Paul! Yes Australian businesses care about and use NIST ... SABSA framework for security architecture is huge here...but the rest is the same as everywhere (ISO27001, PCI-DSS, ..etc).

you said most Big 4 auditors are not technical....hey maybe I'll be the exception? again I've got nothing so it's all up in the air now

paul78

UnixGuy wrote: »

you said most Big 4 auditors are not technical....hey maybe I'll be the exception? again I've got nothing so it's all up in the air now

I shouldn't have disparage Big 4 auditors. My apologies to anyone that I offended. There are definitely some very good auditors in those firms. Like all things, in larger consulting companies, the really good ones work with the clients that are willing to pay the most.

If you are looking to get into senior leadership, you may also want to familiarize yourself with governance and risk concepts. Check out the COSO framework and Cobit 5. If you joined ISACA to take your CISA, I think you should be able to get the COBIT materials as part of your membership.

UnixGuy

Oh thanks! yes I get asked about Cobit 5 frequently!! I did get ISACA membership after passing CISM ,I'll look up Cobit 5 docos! was wondering what use can I make of ISACA membership

scasc

As someone who has worked in 3 out of the big 4 (unfortunately!

) I can share some decent perspectives in regard to this.

Within IT Audit and Risk Assurance you have multiple sub teams auditing and validating controls against whatever standard, framework or policy is being assessed against. This usually means checking 2 things - design effectiveness of controls (i.e. does the control adhere to the standard/policy) and 2) operating effectiveness - proving this is the case (for example say design effectiveness states that there is only 1 admin as per policy the latter would then enable you to take a screendump of the configuration to prove that only 1 account is within this admin group etc.

Usually IT Auditing checks 3 things - change management, logical access and IT operations (i.e. The so called general controls). When you work in security auditing it usually means auditing against a standard (this could be as mentioned previously 27001, or using 27005 risk assessment methodology to vouch for the 27002 list of controls, if data centre auditing then leveraging SOC 3 for instance etc).

A lot of interviewing, collecting information, understanding the risks against compliance due to weak controls, testing and picking samples as well as the key thing - writing that magic report which brings it all together and justifies the big 4's astronomical fees

.

Plenty of jobs in this area and will never die down due to its inherent nature of reporting to the audit committee which reports directly to the board (thus audit is an independent function).

Having technical skills definitely helps as you can probe on some deeper technical questions. But its not a role where you use tools to find common weaknesses in your OS's, network devices etc - even though the tools help tremendously.

Hope this helps.

luisbee

@scasc good summary write-up on the IT Audit functions in the BIG 4..as someone who has been in the Big 4 for over 8 years, advisory or consulting work in Cybersecurity, information security & technology infrastructure reviews is a key area that will fdef need some technical skills...EY's IT Risk & Assurance has 3 main sub-service lines which are IT Assurance (supporting the Financial auditors in validating the controls over financial reporting so you looking mainly at IT general controls as scasc rightly pointed out), IT Risk Management (mainly focuses on IT resilience, GRC and the nig implementation projects like SAP / Oracle EBS etc) and Cybersecurity (where you focus on Cyber strategies, ISO 27001 reviews/ gap analysis, IAM, Cyber Transformation programmes, Pen Tests incl. Read & Purple teaming, Vulnerability assessments etc). So this area of the business is the fastest growing in the Big 4 and one can easily move from one team to the other to acquire the experiences and all.

A lot of it is customer facing, having exposure to different business areas and also exposure to interacting with top Senior management like your CISOs, CROs, COOs.

Hope this sheds more light into what you are asking for.

UnixGuy

@scasc & @luisbee THANK YOU so much!! this is exactly what I was looking for. That job sounds like a lot of fun and a lot of customer interaction

scasc

No problem at all. Let us know how things get on.

Certainly if you stay, be patient and progress your career in this area and reach Partner level - then the world is your oyster. Substantial six figure salary.

On another note, manoeuvring and working your way up the big 4 is an effort by itself. Network with the right people, attend all these events, drinks, BD, proposals etc. And have great relationships with these senior folks - even if it means having reguar catchups so they get to know you really well. By having this you can always gain feedback and ask what to do to progress, gain promotion etc and partners will always want to share this if they have built the relationship with you.

If someone told me many years back, would have been worth its weight in gold.

Best of luck as working and progressing in the big 4 is a massive commitment by itself - you have to go beyond the work you do. Everyone has had different experiences I can only speak for myself but if you do the above you should hopefully progress and get the interesting projects. Maybe a secondment abroad too....

UnixGuy

@scasc: that sounds really awesome...!

The catch is, I'm already on six figures+. The reason I'm negotiating a position in big4 is because they offered a part-time opportunity...this will give me a day or two off per week which will allow me to work on personal stuff.

Partner sounds awesome, but the exit opportunities from big 4 are awesome as well. I know many CIOs / CTOs / CEO's who were ex- big 4, so there is that opportunity!

Who knows..guess I'll know in the next couple weeks

scasc

Yes, Big 4 are good with having part-time positions so you can do whatever you need to during the time you are away. It does have excellent exit options too. However, you may find that you dont want to leave and want to work up to partner level. What level are you going at?
Partner salaries are in excess of $500,000 - its a partnership so they share the profits made by the firm too

UnixGuy

scasc wrote: »

Yes, Big 4 are good with having part-time positions so you can do whatever you need to during the time you are away. It does have excellent exit options too. However, you may find that you dont want to leave and want to work up to partner level. What level are you going at?
Partner salaries are in excess of $500,000 - its a partnership so they share the profits made by the firm too .

wow that's a lot of money!!

The position I'm negotiating is 'Manager'...However, I just saw a position that I qualify for that is 'director'...the salary difference between the two is not huge...

scasc

At director level the key differentiator revolves around "sales." i.e. How much money can you bring in as opposed to how many chargeable hours you clock. At this level, people who obtain these roles have relationships with CTO's/CIO's/CISO's etc who will then give them whatever work is required - might have to go through a formal bid process but still its the relationship you have that ultimately wins.

So it's about having established relationships already which will enable you to get a director level role. If you have this, fantastic, if not try going in at Senior Manager which will allow you to build this up with a view to then being on a path to director. That way you can still show your worth by being chargeable (i.e. the hands on audit work) and at the same time build on your contacts in industry.

Hope this helps...

chickenlicken09

scasc wrote: »

As someone who has worked in 3 out of the big 4 (unfortunately! ) I can share some decent perspectives in regard to this.

Within IT Audit and Risk Assurance you have multiple sub teams auditing and validating controls against whatever standard, framework or policy is being assessed against. This usually means checking 2 things - design effectiveness of controls (i.e. does the control adhere to the standard/policy) and 2) operating effectiveness - proving this is the case (for example say design effectiveness states that there is only 1 admin as per policy the latter would then enable you to take a screendump of the configuration to prove that only 1 account is within this admin group etc.

Usually IT Auditing checks 3 things - change management, logical access and IT operations (i.e. The so called general controls). When you work in security auditing it usually means auditing against a standard (this could be as mentioned previously 27001, or using 27005 risk assessment methodology to vouch for the 27002 list of controls, if data centre auditing then leveraging SOC 3 for instance etc).

A lot of interviewing, collecting information, understanding the risks against compliance due to weak controls, testing and picking samples as well as the key thing - writing that magic report which brings it all together and justifies the big 4's astronomical fees .

Plenty of jobs in this area and will never die down due to its inherent nature of reporting to the audit committee which reports directly to the board (thus audit is an independent function).

Having technical skills definitely helps as you can probe on some deeper technical questions. But its not a role where you use tools to find common weaknesses in your OS's, network devices etc - even though the tools help tremendously.

Hope this helps.

Would you say its a lot of excel? And excel skills need to be tip top?

chickenlicken09

scasc wrote: »

As someone who has worked in 3 out of the big 4 (unfortunately! ) I can share some decent perspectives in regard to this.

Within IT Audit and Risk Assurance you have multiple sub teams auditing and validating controls against whatever standard, framework or policy is being assessed against. This usually means checking 2 things - design effectiveness of controls (i.e. does the control adhere to the standard/policy) and 2) operating effectiveness - proving this is the case (for example say design effectiveness states that there is only 1 admin as per policy the latter would then enable you to take a screendump of the configuration to prove that only 1 account is within this admin group etc.

Usually IT Auditing checks 3 things - change management, logical access and IT operations (i.e. The so called general controls). When you work in security auditing it usually means auditing against a standard (this could be as mentioned previously 27001, or using 27005 risk assessment methodology to vouch for the 27002 list of controls, if data centre auditing then leveraging SOC 3 for instance etc).

A lot of interviewing, collecting information, understanding the risks against compliance due to weak controls, testing and picking samples as well as the key thing - writing that magic report which brings it all together and justifies the big 4's astronomical fees .

Plenty of jobs in this area and will never die down due to its inherent nature of reporting to the audit committee which reports directly to the board (thus audit is an independent function).

Having technical skills definitely helps as you can probe on some deeper technical questions. But its not a role where you use tools to find common weaknesses in your OS's, network devices etc - even though the tools help tremendously.

Hope this helps.

Mind me asking why you say unfortunately? Are they tough to work for? Reason being i have a potential cyber consultant interview with one of the big 4 soon. Wouldmy time be best spent at another company? Also, how do they differ to a "regular" company?

UnixGuy

scasc wrote: »

At director level the key differentiator revolves around "sales." i.e. How much money can you bring in as opposed to how many chargeable hours you clock. At this level, people who obtain these roles have relationships with CTO's/CIO's/CISO's etc who will then give them whatever work is required - might have to go through a formal bid process but still its the relationship you have that ultimately wins.

So it's about having established relationships already which will enable you to get a director level role. If you have this, fantastic, if not try going in at Senior Manager which will allow you to build this up with a view to then being on a path to director. That way you can still show your worth by being chargeable (i.e. the hands on audit work) and at the same time build on your contacts in industry.

Hope this helps...

That sounds like something I'd really enjoy! I love sales!

scasc

@eddo1 - In regard to excel, its always a good skill to have if you are going through massive amounts of data to form meaningful relationships but by no means you need to be an expert. I'm certainly no expert in excel. You can pick this up on the job too to be honest. If you really want to.
Also in regard to why I said unfortunately

. Everyone has different experiences in the big 4 - some people love it, some people not so much as its not for them. Its a great brand to have on your CV, you have many potential opportunities and great exit options if you feel you want to go end user instead for example. However, the politics really is insane - probably more than working end user for example (again only my experience). People tend to progress more on the people they know only. I was a Senior Manager/Associate Director when I left - however the partner took a disliking to me because he was mates with someone who for some strange reason said some not so nice stuff about me (same grade - again that back stabbing environment). As a result this affected my ability to get the career I wanted out of this so I had to leave. However I have seen such stuff in the other big firms too. If you get an opportunity and a job you really like, def consider it. I am sure things will go well.
How they differ depends on what you want to compare them against. If its against another consultancy (systems integrator or technical consultancy such as Accenture/IBM etc) then the big 4 will do the typical controls review/assessment work. These other consultancies will do the hands on deployment, design, analysis etc. Big 4 will do the assurance to ensure the project is managed well/on time/controls deployed approrpriately, raise risks and present report to management. So its less hands on. Now I know they are looking to get more advisory work and not assurance however if you want hands on project work a systems integrator is the way ahead I think. Much more exposure. Because if you join and you dont have work on, they will put you on an audit project as this is their bread and butter - then it may get a real headache.

@UnixGuy - Fantastic!. Perfect for you hopefully.

chickenlicken09

scasc wrote: »

@eddo1 - In regard to excel, its always a good skill to have if you are going through massive amounts of data to form meaningful relationships but by no means you need to be an expert. I'm certainly no expert in excel. You can pick this up on the job too to be honest. If you really want to.
Also in regard to why I said unfortunately . Everyone has different experiences in the big 4 - some people love it, some people not so much as its not for them. Its a great brand to have on your CV, you have many potential opportunities and great exit options if you feel you want to go end user instead for example. However, the politics really is insane - probably more than working end user for example (again only my experience). People tend to progress more on the people they know only. I was a Senior Manager/Associate Director when I left - however the partner took a disliking to me because he was mates with someone who for some strange reason said some not so nice stuff about me (same grade - again that back stabbing environment). As a result this affected my ability to get the career I wanted out of this so I had to leave. However I have seen such stuff in the other big firms too. If you get an opportunity and a job you really like, def consider it. I am sure things will go well.
How they differ depends on what you want to compare them against. If its against another consultancy (systems integrator or technical consultancy such as Accenture/IBM etc) then the big 4 will do the typical controls review/assessment work. These other consultancies will do the hands on deployment, design, analysis etc. Big 4 will do the assurance to ensure the project is managed well/on time/controls deployed approrpriately, raise risks and present report to management. So its less hands on. Now I know they are looking to get more advisory work and not assurance however if you want hands on project work a systems integrator is the way ahead I think. Much more exposure. Because if you join and you dont have work on, they will put you on an audit project as this is their bread and butter - then it may get a real headache.

@UnixGuy - Fantastic!. Perfect for you hopefully.

@scasc this one is with Deloitte, Risk Advisory - Cyber Security - Senior Consultant

chickenlicken09

Guys, how can i get experience with SOX, i see it in alot of job specs but no exp with it. Any docos or websites teach myself?

scasc

Hi eddo1 - SOX usually falls in the remit of traditional IT Auditing, not so much cyber security. It was a big thing around 2003 onwards where contractors were getting a tidy sum for assuring against this. You normally focus on 404 SOX controls which includes the IT auditing part (transaction controls). Usually experience working on such projects allows you to fully grasp it otherwise best thing to do is google it and understand the 404 auditing process for SOX.

Hope this helps.