Careers After IT Auditing

life-after-it-auditRecently, a reader named Porak asked me what careers IT auditors can move to when they leave auditing (see the original question here).

I couldn’t find much on the Internet on this topic, but there’s a lot of options.

I’ve actually worked in quite a few of the areas mentioned below…

 

If you’re skilled in general IT, you should consider the following fields, depending on your specific IT auditor skills and years of experience. Bold text indicates you’d probably need to possess a high level of skill in that area already to make a move.

  • Business Continuity Planning/Disaster Recovery* – help departments do risk assessments, business impact analyses, and create and test BCP/DR plans, and update them.
  • Compliance, Risk Management, or Information Security* – all these departments need people who understand policies, standards, risk, controls, running technical projects, research, etc.

Here’s one of the few articles on found re: life after IT audit: http://www.careersinaudit.com/article/moving-from-it-audit-to-cyber-security/?s=2

  • Vulnerability Assessor or Penetration Tester* – Run vulnerability scans and try to break software/hardware manually and/or with tools.
  • Technical Writing* – Documenting manufacturing processes, computer operation manuals, training materials, etc. Assuming you have excellent interviewing and written communication skills.
  • Training – teach others how to use computer systems, software, hardware, etc.
  • Data Analytics* – most departments are doing some type of analytics these days.
  • Management* – easy to move into if you managed or mentored people when you were in audit.
  • Process Improvement – usually auditors identify problem areas that can be made more efficient as part of some audits, so this may be a possibility.
  • Merger integration – Assist your company acquire another company, working through the redundant networks, IT systems, personnel, etc. I list this one as an example that almost anything is possible, especially since one IT audit director I know just moved within the same company to this very position.

*These are positions I’ve held prior to my experience as an IT auditor. The only exception is Data Analytics, which I did not get into until I was in IT audit. In my case, all this prior experience made me a better IT auditor, but it works the other way around too.

I’m sure I missed several other careers.

Who can add a few more, with a short description of why you think it’s a valid option for a IT auditor to aspire to?

Advertisements

12 Comments

Filed under Audit, Employment, How to..., Technology

12 responses to “Careers After IT Auditing

  1. Hello sir,

    I have a few questions about IT Auditing. I have done my SOX certification. What will be the next step I should take? Also I have been applying for jobs but no luck yet but I’m not giving up. Since I don’t have any job experience. Please do let me know your concerns.

    Thanks

    Like

  2. Bill Dwight

    What a great blog!

    Like

  3. Pingback: Top 10 Reasons Why Being an IT Auditor is So Hard | ITauditSecurity

  4. Audit Monkey

    Become normal, well adjusted people?

    Like

  5. sysaudit

    What about the thriving field of data mining and artificial intelligence? Should Auditors think of taking a leap on those?

    Like

    • sysaudit,
      Yes. Some people don’t differentiate between data analytics, data mining, data analysis. Others will cause a bar fight over these terms. Generally, analytics is answering a question by analyzing data–like how often do people log in on weekends, what time, and does an evil pattern exist?

      Data mining is looking for gems you didn’t know they there–identifying previous unknown patterns that can be beneficial (people who shop online late at night buy more food). Sounds like data analytics, kind of?

      I wouldn’t begrudge anyone going into AI either, which loosely, is helping computers and machines make decisions based on previously defined rules and scenarios, and when a situation is encountered the first time, determining how to deal with it.

      AI isn’t something your typical auditor is involved with (at least not yet), and my post was more geared to how do you take IT audit skills and use them to move into a different career.

      Thanks for your input.

      Like

  6. Jimmy

    Hi ITauditSecurity,
    I enjoy reading your blog. Do you have an article talking about the switch from IT Audit to Security. I have a couple questions. I have over 10 years experience leading IT audits, and possess all the certs from CISA, to CISM to CISSP. i was thinking about switching internally to the Security department but the director was asking me how many years of security experience i had, and stated they normally look for someone who has been working in security.

    1, How do you go about answering this type of question
    2. What is security view about the role of IT audit, do they not believe it’s associated and impacts security. Does security not see what IT audit’s value is within the organization?

    Thanks

    Like

    • Jimmy,
      No, I don’t have a post about switching from IT Audit to Security, as I did the opposite. The closest post is https://itauditsecurity.wordpress.com/2017/03/07/careers-after-it-auditing/, but I don’t think that’s what you want.
      If you have those certs, I can’t imagine why the director isn’t interested. I would try to sell your understanding of IT processes, networks, Active Directory, etc., which is a great foundation for security.
      I would also note that your audit background provides a better understanding of risk and how to categorize and rank it that the average security bloke. Try to sell that.
      I guess it depends on what type of security work you want to do. Are you reviewing projects and technology for risk, designing how to secure websites, clouds, applications, etc., or writing policies, teaching security awareness, or actually administering security by creating user IDs, assigning access, etc.
      It all depends on how you can map your past experience into what the security department needs.
      Also, auditors have to deal with nasty, upset people and try to help them understand risk and vulnerabilities and why some attempts at mitigating those risks aren’t enough. I think that’s a critical skill.
      Check out this post, which might give you some ideas–it’s written to IT auditors but the same principles apply to trying to move into any new field, including security. Just replace ‘audit’ with ‘security’. See https://itauditsecurity.wordpress.com/2017/03/21/how-to-get-an-it-audit-job-with-little-or-no-experience/
      Try to take situations you faced and handled well as an auditor and turn it into a quick story for the director. Basically, 1) here’s what happened, 2) what I did, and 3) how you made the situation better. You might want to check out my interviewing IT auditor series (just search ‘interview’ on the blog). Again, this is written about and for IT auditors, but the principles apply to most job interviews and how to approach them.

      I would not hesitate to look outside the company if you can’t get anywhere inside.

      I hope this helps. Sorry it took so long to respond. Let me know if I can help you further. Don’t give up. Mack

      Like

  7. Jimmy

    Mack,
    As a followup to this conversation. They did end up offering me this cyber security position but they want me to get in at an entry level. I was not too thrilled with this since I am a very senior IT Auditor. They said i could maintain my current pay.. How would you address this.
    Thanks,
    Jimmy

    Like

    • Jimmy,
      That depends on how bad you want the job AND what the prospects in that department and company are.
      Personally, I would tell them that your audit and risk background and experience, along with your certs, makes you much more valuable than the typical entry level person.
      Provide some projects or incidents that describe what the problem/issue/opportunity was, what you did about it based on X and Y, and what the outcome was (benefits to the company). That might bolster your position.
      I would try to get them to put you at the next level.
      Also, having a higher salary at a lower pay range means you won’t get very good raises.
      I think they are trying to get you on the cheap. I would stand your ground. Tell them you’d really like to work for them, but would like to work something out that works for both of you.
      If they decline, then it was their call. You can then say you will wait for a more appropriate position. Don’t sell yourself short.
      But if moving on at your current salary works for you, go for it.
      I did that once in my career–moved to a new area just like you want to–and stayed at the same salary. I regretted it for years.
      Hope that helps. I’d be interested in hearing how this turns out.

      Like

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s