A debate on this blog over analytics and the future of internal audit is heating up.
A few readers, including our colleague across the sea, AuditMonkey, have dove in, and skyller and I have responded in kind.
Well, not exactly. AuditMonkey has been more kind, to his credit. But I digress.
If YOUR audit department doesn’t embrace data, analytics, and automation eventually, your audit department will NOT exist.
No data, no analytics. No analytics, no automation. Eventually, no audit department.
Editor Note: This post really applies to all departments in a company, but mainly I’m addressing auditors, but you might want to read between the business lines….
By embrace, I don’t mean have one or two auditors working on this. I mean the entire department.
Before you cite all the regulatory requirements mandating the existence of an audit department in companies, having an audit department in name only won’t cut it.
Having an inept audit department will not be acceptable to regulators, and it shouldn’t be acceptable to company management either. Or Audit Committees!
Companies need skilled and efficient auditors that can do the heavy lifting, and this need will only increase.
Passing the CISA exam does not make you a good IT auditor anymore than passing a driving test makes you a good driver.
Passing either exam says that you know the basics, but you still have a lot to learn.
Most likely, you still don’t know how and when to use what you know and apply it to the current situation. That’s why experience is necessary. Lots of it.
I’m going on a rant here, so reader beware. If you read on, make sure you hang in there until I make my main point in the end.
You just won’t feel the love right away…
Unless your department is still in the early stages of your analytics journey, analytic skills should be one of your hiring and promotion criteria.
In an earlier post I outlined 10 Signs Mgmt Doesn’t Really Support Analytics.
One of the signs is that hiring and promotion decisions are made without reference to a person’s analytic skills.
Here’s a list of all my posts to-date related to becoming or growing as an IT Auditor, all in one place for easy reference.
I’ll add other posts as they are written.
If you’re looking for an IT Audit job, here’s how to use LinkedIn to get noticed.
In a nutshell, you need to enhance your LinkedIn profile so that everyone knows you’re working hard at learning IT auditor skills.
If you’re already working as an IT auditor, use these suggestions to get noticed more and move ahead (or into another company with more opportunities).
In my last post, I described Why Internal Auditors Should Care about Robotic Process Automation.
In this post, I’ll explore whether RPA can replace analytic packages like ACL, IDEA, R, and Power BI.
That might seem like a strange question, but a few managers and a VP have asked me just that recently. Here’s how I’ve answered it.
When internal auditors (or those pretending to be such) do poor work and don’t follow the appropriate audit and IT standards, they are unprofessional. However, I put the blame at the feed of audit management.
I get asked all the time, “How do I get a job in IT audit with little or no experience?”
When Michael Onuoha asked me this question (see here), I thought I’d share my response with my readers.
You’ll find these same answers scattered around the blog as I answered people in the past, but I thought I’d pull it all together into one place.
Breaking into any field can be difficult, but it can be done. Especially when the demand for IT auditors is so high.
Before you choose a career as an IT auditor, consider my top 10 reasons why being an IT auditor is so hard.
Recently, a reader named Porak asked me what careers IT auditors can move to when they leave auditing (see the original question here).
I couldn’t find much on the Internet on this topic, but there’s a lot of options.
I’ve actually worked in quite a few of the areas mentioned below…
If you’re an auditor, you need data analytic skills or you will die.
Or put another way, if you don’t acquire them in the next 1-5 years, you will no longer be an auditor.
Pretty bold statement, isn’t it?
If you’re a new IT auditor or want to become one, I’ve listed a number of my earlier posts for your consideration. If you’re an experienced auditor, here’s an overview of the profession through my eyes.
These posts will:
- Provide basic information regarding IT audit and security and links to other sources.
- Help you avoid some of the hidden pitfalls that control owners and auditors face.
- Give you ideas and approaches for some common and uncommon audits.
- Give you a few chuckles.
If you start at the top and read through each post, you’ll get a good taste of the positives and negatives of IT auditing. Since you can’t do it in one sitting, you could bookmark the list and work your way through it as you have time.
It finally happened: I fell prey to a phishing email.
I actually clicked a link.
At work, no less. Not good.
Norman Marks, of the Institute of Internal Auditors, likes to hire auditors who can think.
You should too.
How does he do it?
Below is a list of the top paying certs for 2014 (including average salary amount).
The list is based on the 2014 IT Skills and Salary Survey conducted by Global Knowledge and Penton, completed in October 2013.
After the list, I offer a few comments on some of the certs and the salaries.
Open letter to you-know-who: Shine your shoes.
I know lots of things don’t matter much in life, and this might be one of them, but it doesn’t take much effort to put some polish on your shoes. It makes your shoes happy, it helps them last longer, and you look better too, which can translate into more confidence on your part. And being taken more seriously by others, especially people older than you.
According to the FBI, crime pays pretty well sometimes, at least for a while. And cybercrimers are hiring. Like the rest of the workforce, crooks are specializing. In this speech, Steven R. Chabinsky, FBI Cyber Division Deputy Assistant Director, discusses the top 10 crooked specialties:
While reading a job description for an IT security analyst recently, I noticed that the details were somewhat vague. The position required so many years of the usual security requirements and experience with routers, firewalls, IPS, but it didn’t mention which ones.
Then I saw this statement, which explained the vagueness:
CSO magazine had a great article some time ago that I came across again entitled, How Not to Hire an Information Security Officer Who’s on Parole. After it describes some true-life hiring horrors, it provides some good points to remember about hiring:
Some people do not understand that both diamonds and the Internet are forever. I found this statement in a discussion on LinkedIn:
I am excited about 2 interviews next week even though I’m not fully qualified for either one.
As I’ve mentioned already, hiring good IT auditor contractors is hard enough. But when you hire them and they can’t do the work, rolling them off the project isn’t easy either.
I was reviewing my blog stats and noticed that posts regarding employment and interviewing were my all-time most popular posts. At first, this surprised me, but as I thought about the economy and how many people (including myself) were laid off, it made sense. Here’s my most popular posts to-date:
I don’t make this stuff up…
In a recent phone interview where I was trying to hire a IT SOX auditor for a short-term project, I had asked most of my interviewing questions. So I asked the candidate, “Do you have any questions for me?”
“You said that this project consists solely of testing IT SOX controls. SOX is now 5 to 6 years old. What is driving this project?”
I swallowed my surprise, and answered, “SOX compliance – annual testing requirements.”
“Oh,” said the consultant, “That makes sense.”
[You know what that means, don’t you? More interviews. Help!]
Interviewing IT Auditors
Bad Interviews Qs
More IT Auditor Interviews…
Pain of Letting (Auditors) Go
I hear all the time how fierce the competition is out there in job land, but I’m still not seeing it. After more IT auditor interviews, I’m the one that is getting discouraged (and I’m the interviewER, not the interviewEE).
I’m still thinking about the IT auditor interviews I did recently. Not only did I get frustrated with the interviewees, I struggled with my co-interviewers. I not only thought some of their questions were poor, but they branded me a “tough interviewer.”
A few weeks ago, I did several phone interviews and concluded that no abundance of skilled IT auditors are looking for jobs these days.
First, isn’t the purpose of the interview to determine what a person’s experience is, and whether that experience is a good match for the position? At least 3 of the interviewees provided negative information about themselves unexpectedly: