Recently, a reader named Porak asked me what careers IT auditors can move to when they leave auditing (see the original question here).
I couldn’t find much on the Internet on this topic, but there’s a lot of options.
I’ve actually worked in quite a few of the areas mentioned below…
If you’re skilled in general IT, you should consider the following fields, depending on your specific IT auditor skills and years of experience. Bold text indicates you’d probably need to possess a high level of skill in that area already to make a move.
- Business Continuity Planning/Disaster Recovery* – help departments do risk assessments, business impact analyses, and create and test BCP/DR plans, and update them.
- Compliance, Risk Management, or Information Security* – all these departments need people who understand policies, standards, risk, controls, running technical projects, research, etc.
Here’s one of the few articles on found re: life after IT audit: http://www.careersinaudit.com/article/moving-from-it-audit-to-cyber-security/?s=2
- Vulnerability Assessor or Penetration Tester* – Run vulnerability scans and try to break software/hardware manually and/or with tools.
- Technical Writing* – Documenting manufacturing processes, computer operation manuals, training materials, etc. Assuming you have excellent interviewing and written communication skills.
- Training – teach others how to use computer systems, software, hardware, etc.
- Data Analytics* – most departments are doing some type of analytics these days.
- Management* – easy to move into if you managed or mentored people when you were in audit.
- Process Improvement – usually auditors identify problem areas that can be made more efficient as part of some audits, so this may be a possibility.
- Merger integration – Assist your company acquire another company, working through the redundant networks, IT systems, personnel, etc. I list this one as an example that almost anything is possible, especially since one IT audit director I know just moved within the same company to this very position.
*These are positions I’ve held prior to my experience as an IT auditor. The only exception is Data Analytics, which I did not get into until I was in IT audit. In my case, all this prior experience made me a better IT auditor, but it works the other way around too.
I’m sure I missed several other careers.
Who can add a few more, with a short description of why you think it’s a valid option for a IT auditor to aspire to?
16 responses to “Careers After IT Auditing”
I have a few questions about IT Auditing. I have done my SOX certification. What will be the next step I should take? Also I have been applying for jobs but no luck yet but I’m not giving up. Since I don’t have any job experience. Please do let me know your concerns.
I answered you here…https://itauditsecurity.wordpress.com/2014/12/15/hiring-auditors-who-can-think/#comment-12854
If you give me more info, I may be able to give you better advice. See my questions in the above COMMENT.
What a great blog!
Pingback: Top 10 Reasons Why Being an IT Auditor is So Hard | ITauditSecurity
Become normal, well adjusted people?
I’ll let you know if it ever happens to me. Don’t count on it.
What about the thriving field of data mining and artificial intelligence? Should Auditors think of taking a leap on those?
Yes. Some people don’t differentiate between data analytics, data mining, data analysis. Others will cause a bar fight over these terms. Generally, analytics is answering a question by analyzing data–like how often do people log in on weekends, what time, and does an evil pattern exist?
Data mining is looking for gems you didn’t know they there–identifying previous unknown patterns that can be beneficial (people who shop online late at night buy more food). Sounds like data analytics, kind of?
I wouldn’t begrudge anyone going into AI either, which loosely, is helping computers and machines make decisions based on previously defined rules and scenarios, and when a situation is encountered the first time, determining how to deal with it.
AI isn’t something your typical auditor is involved with (at least not yet), and my post was more geared to how do you take IT audit skills and use them to move into a different career.
Thanks for your input.
I enjoy reading your blog. Do you have an article talking about the switch from IT Audit to Security. I have a couple questions. I have over 10 years experience leading IT audits, and possess all the certs from CISA, to CISM to CISSP. i was thinking about switching internally to the Security department but the director was asking me how many years of security experience i had, and stated they normally look for someone who has been working in security.
1, How do you go about answering this type of question
2. What is security view about the role of IT audit, do they not believe it’s associated and impacts security. Does security not see what IT audit’s value is within the organization?
No, I don’t have a post about switching from IT Audit to Security, as I did the opposite. The closest post is https://itauditsecurity.wordpress.com/2017/03/07/careers-after-it-auditing/, but I don’t think that’s what you want.
If you have those certs, I can’t imagine why the director isn’t interested. I would try to sell your understanding of IT processes, networks, Active Directory, etc., which is a great foundation for security.
I would also note that your audit background provides a better understanding of risk and how to categorize and rank it that the average security bloke. Try to sell that.
I guess it depends on what type of security work you want to do. Are you reviewing projects and technology for risk, designing how to secure websites, clouds, applications, etc., or writing policies, teaching security awareness, or actually administering security by creating user IDs, assigning access, etc.
It all depends on how you can map your past experience into what the security department needs.
Also, auditors have to deal with nasty, upset people and try to help them understand risk and vulnerabilities and why some attempts at mitigating those risks aren’t enough. I think that’s a critical skill.
Check out this post, which might give you some ideas–it’s written to IT auditors but the same principles apply to trying to move into any new field, including security. Just replace ‘audit’ with ‘security’. See https://itauditsecurity.wordpress.com/2017/03/21/how-to-get-an-it-audit-job-with-little-or-no-experience/
Try to take situations you faced and handled well as an auditor and turn it into a quick story for the director. Basically, 1) here’s what happened, 2) what I did, and 3) how you made the situation better. You might want to check out my interviewing IT auditor series (just search ‘interview’ on the blog). Again, this is written about and for IT auditors, but the principles apply to most job interviews and how to approach them.
I would not hesitate to look outside the company if you can’t get anywhere inside.
I hope this helps. Sorry it took so long to respond. Let me know if I can help you further. Don’t give up. Mack
As a followup to this conversation. They did end up offering me this cyber security position but they want me to get in at an entry level. I was not too thrilled with this since I am a very senior IT Auditor. They said i could maintain my current pay.. How would you address this.
That depends on how bad you want the job AND what the prospects in that department and company are.
Personally, I would tell them that your audit and risk background and experience, along with your certs, makes you much more valuable than the typical entry level person.
Provide some projects or incidents that describe what the problem/issue/opportunity was, what you did about it based on X and Y, and what the outcome was (benefits to the company). That might bolster your position.
I would try to get them to put you at the next level.
Also, having a higher salary at a lower pay range means you won’t get very good raises.
I think they are trying to get you on the cheap. I would stand your ground. Tell them you’d really like to work for them, but would like to work something out that works for both of you.
If they decline, then it was their call. You can then say you will wait for a more appropriate position. Don’t sell yourself short.
But if moving on at your current salary works for you, go for it.
I did that once in my career–moved to a new area just like you want to–and stayed at the same salary. I regretted it for years.
Hope that helps. I’d be interested in hearing how this turns out.
Still on going – as a followup I talked to the Security Director who stated they were fighting for me to come in at a senior level since they know how my experience relates, though HR was adamant i should come in at a junior level since their belief was Audit and Security had nothing in common. Is it normal for HR to override Security the subject matter experts.. It just seems off
I think it’s up to the security director to educate HR. If the director can’t do that then I would question his leadership and definitely how much he wants you on his staff. I would also question how HR is run because they are doing the security director’s job instead of their own. Who knows better what the security team needs the director or HR? And who has to live with the long-term consequences of the decision?
It could also just be A ploy to save the company money.
Are you already working at this company? If not, I would question whether you really want to go there.
Again it all depends how bad you want to This job.
One thing bothers me: HR is willing to pay you your current salary at a lower level and yet doesn’t want you to be at the senior level where I understand that salary ranges is at. That doesn’t make sense. Makes me wonder if security has okayed your current salary with HR. You might want to look into that before you except an offer.
You could also talk to the security director and propose that you get hired at your current salary at the lower-level and then in six months or year get bumped up to the senior level assuming you’re doing OK. If you do this make sure you get it in writing from the security director before you start the job. HR might still scream foul at that time but it’s another way to negotiate the possibility of getting a senior position.
I mentioned previously that I joined a new company in a different role than my previous one at the same salary. My new boss promised me a big raise after the first year but I didn’t get it in writing. Although I performed very well that year I never got my raise.
Jimmy I’m just giving you things to think about, but look at all the facts and the things that are important to you and make your own decision. Wish you the best. Keep me informed. Mack
Thanks for your advice. I think its spot on. I am kind of confused myself honestly. The director called me today and said HR requested for me to document my security experience and then he would try to see if he could talk to them to try to bump up my level.. Is this considered normal.. the saga continues
Not really, but it appears the director is on your side, which is good. In most companies, HR wins these battles unfortunately, as HR sees itself as the power brokers who know better than everyone else.
I’d highlight your experience with the various platforms, security frameworks, etc., and describe the more technical audits you did, what you found, how you worked with IT/security to understand the issues, and how you ranked risk and worked with the business to understand the cost/benefits. I’d also reach out to the business folks you worked with, if possible, and have them provide a recommendation on your behalf (especially if this job is in the same company).
Again, I think auditors have a better understanding of risk than most security personnel, and see if you can tell some quick anecdotes that show that.
Even if you this doesn’t work out, it will refresh your mind in the experience you do have, and that will give your more confidence going forward, and help you prepare for the next move.
Also, have you seen the post, ‘Use LinkedIn to get an IT Audit job’? While you’re trying to get out of audit, the principles still apply. Just replace ‘it audit’ with ‘security’ when you read it.