Auditing Career: How to Focus on High Value Skills
Recently, I received an email from a young auditor, asking that I advice him on how to focus his resources in a way that will yield the most valuable skills for the future. Especially in a future where IT Audit and Financial Audit are meshing. Below is the email, with his name changed to protect his privacy:
I have a question for you. I have a business background having done Chartered Accountancy and then also did CISA. I also worked in the Enterprise Risk Services in Deloitte. The field of IT Audit requires an understanding of the business processes as well as the technical knowledge of ERP, OS and other applications. Since one cannot be an expert in both (business & technical), how can one achieve a balance between the two and know which skills will be most valuable in the future.
Mr. H. Dalad Wasi”
This is, in my opinion one of the most important questions auditors should be asking themselves today. Gone are the days when auditors could rely on a static set of skills and practices to succeed in their careers. And, gone are the days when most auditors, internal and external, had the good fortune of having job security to the point where they could, over a period of many years, fine tune company specific “routines” that allowed them to remain in their company’s insular (and sometimes provincial) cultures, where bad habits and bad practices went unnoticed and unchecked for decades. As a result of Globalization and market realities, survival for most auditors now depends on their abilities to re-educate themselves quickly and in gaining a strong foundation in the internationally accepted frameworks promoted by organizations like IIA, ISACA, ISO, IRCA and the AICPA. After gaining the basic certifications issued by these organizations, my focus would be as follows:
1) Prepare to change the focus of your career several times over the next 5 or 10 years, in order to adjust to rapid changes in the economy and as technology forces change the society in general. What I’m saying here is that 10 years ago there was no Sarbanes-Oxley and IT Auditors where still focused on AS-400′s, EDI networks and the Internet was still not well defined as a viable e-commerce platform. Most auditors 10 years ago still worked in a manual environment, and those using spreadsheets where considered highly advanced. Imagine an auditor today not “accepting” work on Sarbanes-Oxley, or not having upgraded his technical skills beyond the AS-400. They would be out of work. In a nutshell, to stay employable the auditor must be able to dynamically accept and understand the tools, processes, political realities, economics, new practices and limitations adopted by the general society, the auditing field and specifically the business world, as they progress through time. Some folks call this “having an open mind to change.”
2) Accept that the meaning of “Auditor” is in flux, and in the process of being redefined. It is my opinion that today the best auditors are those who unofficially wear about 4 hats at the same time. The first hat is the traditional hat worn by the typical CIA or CISA, which is focused on control frameworks and controls testing. Then the risk management hat, which is for auditors a “light version” of the work done by the PRM or ARM folks; dealing with formal risk assessments, reporting and analyzing impacts at the operational and IT levels. Then there is the compliance hat, which auditors can not avoid since they are the ones testing the controls that either pass or fail compliance. So, they often have to perform some sort of unofficial duties helping the compliance officers, or when there is no compliance officer, leading the compliance / remediation efforts in some fashion. The fourth hat worn by most auditors is the Governance hat. In the past, this hat was a small one, but now its gaining in size. Both corporate and IT governance have experienced fast changes since Sarbanes-Oxley was passed, stockholders became more demanding (in last 10 years) and internationally accepted frameworks have been accepted as legal and operational practices. The need for governance advisers by boards and the “C” levels, have allowed many auditors to fulfill this role given their traditional work with rules and regulations, policies and procedures. Next to corporate lawyers, auditors are the best positioned to work in the governance area. In my opinion, auditors who master these four areas are currently in high demand and will be so for a long time.
3) The IT challenge. My opinion is that IT Auditors need to get their CIA certifications and financial auditors need to get their CISA’s. This will take time for most people, but its not un-duable, specially for intelligent folks that are good at test taking. Most auditors by natural selection, are good at taking tests! Why do I feel this way? Remember we are talking about things that will make you most valuable for the future, and with the US economy shrinking, outsourcing, foreign competition and shorter employment cycles for most professionals, those who have the most diversity of skills and qualifications are better off than those who do not. If you look at the CIA material, a good two sections parallel with the CISA material. Study and get it done, period.
4) If you are a new CISA, I recommend that you focus your energies on two or three IT domains (IT Security, DR, SDLC) which you will make your “forte” for the next two to three years. Included in there should be strong knowledge of an ERP system like Oracle. Also, make sure you learn and become confortable with CobiT 4.1. If you are a new CIA, I recommend that you focus your energies on learning the IFRS and you position yourself as an expert in that area. Also, learn the COSO framework and get a good grip on risk assessments and the ACL analytics package.
The email from H. Dalad Wasi also asks how one can maintain a balance between IT and Financial auditing (since he is balancing the two). He is right in that few people can be masters of both. My answer is that one tends to gravitate for that which gives you the most satisfaction and where you find the greatest recognition and compensation from a social, financial, political and family perspective. If you are a nerd dressed up as a auditor, this will influence how you make this decision. But, if you’re an auditor forcing yourself to understand TCP/IP and router tables, this will also influence your decision. When I say that auditors should be both IT and financial auditors, I do not call for supermen or superwomen who are complete experts in each domain. Strong expertise in one domain and working knowledge in the other is sufficient to give you the competitive advantage needed.
This was intended to be a short reply, but it grew into something bigger. I also suspect I’ve missed some key issues, but for now this is my advice and I hope it was helpful to H. Dalad Wasi and others reading it.
If readers have ideas or suggestions for Mr. Wasi, please feel free to leave them here in the “Comments” so we can all contribute.