Home > Audit, Human Resources, Jobs, Training and Certifications > Auditing Career: How to Focus on High Value Skills

Auditing Career: How to Focus on High Value Skills

Bracken House - London
Image by Remko van Dokkum via Flickr

Recently, I received an email from a young auditor, asking that I advice him on how to focus his resources in a way that will yield the most valuable skills for the future.  Especially in a future where IT Audit and Financial Audit are meshing.  Below is the email, with his name changed to protect his privacy:

“Hello Joel,

I have a question for you. I have a business background having done Chartered Accountancy and then also did CISA. I also worked in the Enterprise Risk Services in Deloitte. The field of IT Audit requires an understanding of the business processes as well as the technical knowledge of ERP, OS and other applications. Since one cannot be an expert in both (business & technical), how can one achieve a balance between the two and know which skills will be most valuable in the future.


Mr. H. Dalad Wasi”

This is, in my opinion one of the most important questions auditors should be asking themselves today. Gone are the days when auditors could rely on a static set of skills and practices to succeed in their careers. And, gone are the days when most auditors, internal and external, had the good fortune of having job security to the point where they could, over a period of many years, fine tune company specific “routines” that allowed them to remain in their company’s insular (and sometimes provincial) cultures, where bad habits and bad practices went unnoticed and unchecked for decades. As a result of Globalization and market realities, survival for most auditors now depends on their abilities to re-educate themselves quickly and in gaining a strong foundation in the internationally accepted frameworks promoted by organizations like IIA, ISACA, ISO, IRCA and the AICPA. After gaining the basic certifications issued by these organizations, my focus would be as follows:

1) Prepare to change the focus of your career several times over the next 5 or 10 years, in order to adjust to rapid changes in the economy and as technology forces change the society in general. What I’m saying here is that 10 years ago there was no Sarbanes-Oxley and IT Auditors where still focused on AS-400’s, EDI networks and the Internet was still not well defined as a viable e-commerce platform. Most auditors 10 years ago still worked in a manual environment, and those using spreadsheets where considered highly advanced. Imagine an auditor today not “accepting” work on Sarbanes-Oxley, or not having upgraded his technical skills beyond the AS-400. They would be out of work. In a nutshell, to stay employable the auditor must be able to dynamically accept and understand the tools, processes, political realities, economics, new practices and limitations adopted by the general society, the auditing field and specifically the business world, as they progress through time. Some folks call this “having an open mind to change.”

2) Accept that the meaning of “Auditor” is in flux, and in the process of being redefined. It is my opinion that today the best auditors are those who unofficially wear about 4 hats at the same time. The first hat is the traditional hat worn by the typical CIA or CISA, which is focused on control frameworks and controls testing. Then the risk management hat, which is for auditors a “light version” of the work done by the PRM or ARM folks; dealing with formal risk assessments, reporting and analyzing impacts at the operational and IT levels. Then there is the compliance hat, which auditors can not avoid since they are the ones testing the controls that either pass or fail compliance. So, they often have to perform some sort of unofficial duties helping the compliance officers, or when there is no compliance officer, leading the compliance / remediation efforts in some fashion. The fourth hat worn by most auditors is the Governance hat. In the past, this hat was a small one, but now its gaining in size. Both corporate and IT governance have experienced fast changes since Sarbanes-Oxley was passed, stockholders became more demanding (in last 10 years) and internationally accepted frameworks have been accepted as legal and operational practices. The need for governance advisers by boards and the “C” levels, have allowed many auditors to fulfill this role given their traditional work with rules and regulations, policies and procedures. Next to corporate lawyers, auditors are the best positioned to work in the governance area. In my opinion, auditors who master these four areas are currently in high demand and will be so for a long time.

3) The IT challenge. My opinion is that IT Auditors need to get their CIA certifications and financial auditors need to get their CISA’s. This will take time for most people, but its not un-duable, specially for intelligent folks that are good at test taking. Most auditors by natural selection, are good at taking tests! Why do I feel this way? Remember we are talking about things that will make you most valuable for the future, and with the US economy shrinking, outsourcing, foreign competition and shorter employment cycles for most professionals, those who have the most diversity of skills and qualifications are better off than those who do not. If you look at the CIA material, a good two sections parallel with the CISA material. Study and get it done, period.

4) If you are a new CISA, I recommend that you focus your energies on two or three IT domains (IT Security, DR, SDLC) which you will make your “forte” for the next two to three years.  Included in there should be strong knowledge of an ERP system like Oracle.  Also, make sure you learn and become confortable with CobiT 4.1.  If you are a new CIA, I recommend that you focus your energies on learning the IFRS and you position yourself as an expert in that area.  Also, learn the COSO framework and get a good grip on risk assessments and the ACL analytics package.

The email from H. Dalad Wasi also asks how one can maintain a balance between IT and Financial auditing (since he is balancing the two). He is right in that few people can be masters of both. My answer is that one tends to gravitate for that which gives you the most satisfaction and where you find the greatest recognition and compensation from a social, financial, political and family perspective. If you are a nerd dressed up as a auditor, this will influence how you make this decision. But, if you’re an auditor forcing yourself to understand TCP/IP and router tables, this will also influence your decision. When I say that auditors should be both IT and financial auditors, I do not call for supermen or superwomen who are complete experts in each domain. Strong expertise in one domain and working knowledge in the other is sufficient to give you the competitive advantage needed.

This was intended to be a short reply, but it grew into something bigger. I also suspect I’ve missed some key issues, but for now this is my advice and I hope it was helpful to H. Dalad Wasi and others reading it.

If readers have ideas or suggestions for Mr. Wasi, please feel free to leave them here in the “Comments” so we can all contribute.

Enhanced by Zemanta
  1. October 16, 2009 at 8:44 AM

    I enjoyed your response. It is critical for auditors to keep abreast of changes in both the financial and IT worlds. The Institute of Internal Auditors (IIA) is an excellent source for information and changes in the industry. Also, I’d like to add that although many audit consulting companies are looking strictly for the CPAs, management consulting and project management skills are key to support internal auditors. Based on my own experience working for over 10 public companies while at a consulting company, consulting skills, relationship management skills and project management skills provide an auditor the ability to interact with their external or internal client, understand their needs and think proactively on helping identify both financial and IT issues and create value-added solutions to help companies in these tough times.

  2. Xavier
    October 16, 2009 at 11:56 AM

    The article provides helpful insight which is necessary for the “New Age” Auditor. Many auditors today are more generalists, those who come directly out of college with little or no practical experience. This is not really a bad thing because the level of frustration when learning new concepts can be mitigated. In my opinion, it all depends on the person and their ability to grasp new information and they’re ability to apply understanding. This works well for an assurance engagement, which provides a methodology for performing an Audit. Where the rubber hits the road is when Consulting services are required for either Finance or Information Technology. In this scenario, it would be more difficult for a generalists to add value to Finance or Information Technology engagements rather than someone who has intimate knowledge of those areas coupled with audit experience. Here is where the technical understanding of the Audit Team is determined because many Audit Service providers, be it IT or Finance are the backbone of some companies Audit Departments. Where those considered to be SME’s it is easier to add the value to the organization because of there knowledege and background. At either juncture the goal would not be to remain an auditor because most audit professonals (generalists or experts) are trained and move into some area of the business to develop their business Savvy in a way that provides real career progression.

  3. Tahir Soomro
    October 16, 2009 at 12:37 PM

    I think this is truly a great piece of work. I being an experienced IT Auditor can second the author’s opinion as all these changes have already started to surface in various organizations and IT Auditors are expected to work as versatile as never before. These changes are partly due some financial crunches around the globe but there are also some changes due to changing expectations from both audit as well as technology.

    However, one problem that is confusing me in today’s time is to know the value of an auditor in post recession times…. I am not sure if the demand will increase as it used to increase in the past or it will decrease with the passage of time. There could be a rise in risk managers demand which may be expected from audit professionals but there can be altogether new trends and new faces in the organizations.

  4. Luigi Portobene
    November 8, 2009 at 4:07 AM

    Your article provides good information and I enjoyed reading it. I am an auditor in Italy and plan to move to Boston in the near future. The information in the article provides a picture of where American auditors need to go to stay competitive. I will be in that gondola soon!

    Cordiali saluti,


  5. F. Stone
    November 21, 2009 at 1:11 PM

    Great article.

    The advice you’re giving reflects what I’m experiencing in the marketplace. The role of auditor is changing because technology is forcing everyone to change. Your call for CISA’s to become CIA’s is something I am in the middle of achieving.

    Thanks for the article.

    F. Stone

  6. ISO 9000
    October 4, 2011 at 5:05 AM

    I positively venerate celebration of a mass your blog posts, a accumulation of essay is smashing.we have had to bookmark your site as well as allow to your feed.Your thesis looks lovely.Thanks for sharing.
    iso 9000

  1. October 14, 2009 at 9:18 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: