A few weeks ago, I did several phone interviews and concluded that no abundance of skilled IT auditors are looking for jobs these days.
First, isn’t the purpose of the interview to determine what a person’s experience is, and whether that experience is a good match for the position? At least 3 of the interviewees provided negative information about themselves unexpectedly:
- “I have no experience with Oracle applications.”
- “I’ve been out of audit for a while.”
- And my favorite, on a resume: “Languages: FORTRAN (I’m not a developer).” Huh?
Second, when asked that dreaded “tell me about yourself” question, why do people talk for 5 minutes giving every detail of their life? What I’m looking for is how well people can summarize and get to the point. You never want to waste your best points on the opening question. And no, I don’t care what your dog’s name is (save that for your Twitter feed).
Which leads me to the third concern: Respond to questions with brief answers; if I want to know more, I’ll ask (how come auditors are supposed to know how to interview others, but can’t provide a decent interview themselves)?
Fourth, don’t tell me that you have skills if don’t. Seeing “Server Virtualization” on a resume led me to ask one person: “What type of server virtualization audits have you done?” The answer: “I don’t have any server virtualization skills.” When I asked, “Why is it on your resume?” there was dead silence. Makes me wonder whether I should ask if you really have that CISA certification.
Fifth, when asked to list 3 questions one would ask control owners when reviewing a control narrative, I wondered whether some auditors can count. I didn’t ask for 5 questions, but 3. I want to know that you can follow directions, prioritize, and be specific.
Along the same lines, if asked to BRIEFLY explain something, be, uh, brief. Again, if I want to know more, I’ll ask. If I have to keep interrupting you to find out the information I really care about, you’re going into too much detail.
The interview that really irked me was with the guy who asked more questions than he answered in the first 5 minutes. He tried to control the entire interview, and if he tries to gain control over the phone, imagine what he’ll try in person. I have enough problems dealing with IT already. No thanks.
Most auditors know that if an external auditor asks a question, you answer that question without volunteering additional information. Why do so many auditors forget that when THEY are interviewed?
More Pain, No IT Auditors Hired
10 responses to “Interviewing IT Auditors”
As a member of an HR department, I couldn’t agree more with your post. I’ve found that most people do not prepare CORRECTLY for interviews. If you cannot verbally present yourself as a match for the job requirements by: 1.Knowing your background (and) 2. Marrying your background to the KSA’s listed in the job advertisement, you are not going to get hired. Furthermore, there are sites/blogs all over the internet that tell people exactly what interviewers are looking during interviews. Thus, I do not tolerate common errors.
Thanks for your input, Gretchen. I would think in this economy I’d have trouble sorting out the duds, but it really hasn’t changed much.
While I do agree that not many IT Auditors are not around, and those present really does not know what to do, what is needed to be done by an IT Auditor is missed by many HR staff and partners. First and foremost thing, if you need a person to review Accounting Process and the technicalities then hire a CITP since they are also CPAs they are the best, not a CISA with a B.S in computer Science and 10 years as technical staff. If you need someone to assess the CIO office and the General Controls such as Networking and IT Security then hire a CISA. Do not hire a CISSP to do a Audit. They are IT Security professionals. CISAs are not entirely Accounting and IT based, mostly these days you find Technical bunch. If accounting is a foreign language to Tech bunch then why should HR hire them? Because they can review Operational Processes and some very serious stuff such as Vulnerability analysis reports of a server that is hosting a trade finance application. Based on my experience if genuine CISA candidates (with audit experience) true potential is unleashed then huge frauds can be unearthed as well stopped.
Thanks for your comments. Are you replying to my post or just ranting in general. I wasn’t sure.
However, I agree that IT auditors shouldn’t do financial audits, although I’d submit any auditor can tick and tie signatures and a lot of the non-financial stuff that financial audits include. But overall, no, and most would not want to.
As for CISSPs doing audits, it depends on whether they understand audit principles. I’m a CISSP who’s an auditor. Most CISSPs don’t know audit, so I have to agree with you there. Basically, if you’re technical and don’t understand audit, you should not do any audits, CISSP or otherwise.
I once worked with a pentester who never wrote an audit work paper before and didn’t know audit, so I’ve felt that pain personally.
Pingback: Master List of CISA Articles | ITauditSecurity
Pingback: Hiring Auditors Who Can Think | ITauditSecurity
I’m curious if you’ve encountered some instances where candidates who has their CISA designation but somehow, they do not really have the audit experience once you drill in to their experience. I’ve seen enough candidate where they were either part of an IT ops team and coordinating ‘audits’ that yet somehow that qualified as an audit experience or they have a background in compliance audit but after digging more, it’s mostly a spot check or check the box audits. It’s not what I consider as audits that is aligned with IIA standards or even ISACA’s ITAF. I’m also starting to see more and more DB admins or IT ops PMs that end up with their CISA designation without any prior audit experience. So to me, where is the ‘A’ in CISA? :)
I see it all the time. Not only with CISA, but with CISSP and MCSE and so on.
That’s one of the reasons that audit supervision is so critical. But so many IT audit jobs are open, companies take unqualified people. I’ve seen it happen in companies I was working in.
I have no problems learning on the job, but a newbie needs to be working with a senior person all the way. But because skilled auditors are hard to find and audit seniors and managers have so much other work to do, they don’t do the training and supervision.
That is the fault of management, just like every other work-related issue.
While I have asked many times where is the IS in CISA (see my related post), I chuckled over your where is the A in CISA. I would argue that the A is more important that the IS, but a good IT auditors needs both.
Thanks for your input.
Thanks for your input as well. I’ve failed to mention in my earlier post I was trying to echo your post on where is the IS in CISA; that’s where I’ve picked up on the idea of where is the ‘A” in CISA. So my bad from that end.
I definitely do not mind as well learning on the job. In fact, that’s just something given to our profession with new technologies always coming out, we have to figure out a way to address the audit risk. It’s the one who claims they have all these skills and expertise (even advertise and vetted by other people in LinkedIn) that irks me. I mean we’re auditors for crying out loud, dont they think we’ll find out? hehe. I’d rather have someone be upfront and say nope dont have that but I’m a quick learner and dont mind teaching myself if I have to.
I’ve done my fair review and supervision of staff and I can attest, I’ve found some instances where staff just missed a step that although small from their perspective but big impact from an overall testing.
I wondered about your “A” in CISA comment. You gave me a chuckle. It didn’t occur to me you were echoing my rant.
As for claiming skills one doesn’t have, the only thing that comes to mind is that 1) the person doesn’t see embellishment as dishonest, but normal, and.or 2) they are so used to exaggerating they aren’t even aware of it. Both are somewhat the same.
Everyone usually benefits from a review/supervision. The person who depises it thinks more highly of himself than he should. We all have blind corners.