Taking Off The Training Wheels: Strategies For Transitioning From SOX To Risk-Oriented Audit

Over the past several years, as an executive recruiter focused on Audit and GRC, I came to hear a very common refrain from my clients seeking to fill their Internal Audit positions. A composite of those remarks would sound something like this:

We have seen a ton of resumes and interviewed many candidates, but all we are seeing are SOX generalists. We need someone with risk-based Audit experience and depth of subject-matter expertise.

This led me to ponder the question, “why was there such a prejudice against SOX professionals?” Over the last 18 months, I interviewed scores of Chief Audit Executives (CAEs) and Audit Directors. To understand the issue better, I asked them what the primary differences are between risk-based auditors and SOX professionals.

While the answer to this question could fill an entire article itself, it is safe to say that the answers demonstrated amazing uniformity. These CAEs demonstrated a strong prejudice against professionals with primarily SOX experience. Among the concerns, they noted that SOX was too checklist-oriented, overly prescriptive, black and white, and repetitive. As one CAE put it, “SOX is like Audit with training wheels.”

By contrast, these CAEs contend that risk-oriented auditing professionals need to have a much deeper understanding of business in general, and particularly of their own specific business. They need this understanding to appropriately weigh the myriad specific risks to their organization within the context of an overall controls structure, in order to see through many shades of gray and exercise good judgment. This deeper understanding helps auditors understand management’s concerns and improves the value of their audits. Finally, where a compliance mindset typically feels little need to persuade, the risk-oriented professional needs advanced persuasion skills.

In short, the SOX (or any other) compliance framework is at best a starting point in the audit process, the bottom compartment of the risk-oriented auditor’s toolbox.

I subsequently asked these CAEs what things someone could do to try to facilitate a move from primarily SOX-related activities into a risk-oriented Audit role. This article will address strategies for those interested in transitioning from SOX into risk-oriented audit.

Steps To Prepare For Transition

A variety of actions can enhance your candidacy for a risk-oriented audit position.

One step you can take is to pursue certifications related to risk-oriented internal auditing. The CISA and CIA are well recognized certifications that will help provide a risk-oriented theoretical foundation as well as demonstrate your commitment to the field.

You can also make yourself more conversant by reading everything you can about risk and risk-based auditing. Trade Journals can provide a valuable educational resource. The IIA’s Internal Auditor or ISACA’s Journal are excellent places to start, but any sources dealing with risk or risk-oriented auditing can help advance your knowledge and make you more conversant.

Training classes focused on the subject of risk management or risk-based audit can also be a good means to increase your risk IQ. Your local ISACA or IIA chapter meetings can provide one reasonably priced resource. Online study is also an economical option.

If you are currently working in a SOX function in industry, explore whether you can be lent to Internal Audit for some projects or a longer tour. Given the seasonal nature of SOX and tight budgets for some internal audit departments, this can prove to be a win-win for both groups – and for you. Similarly, if you are working in public accounting or consulting and utilized primarily on SOX projects, try lobbying your management to place you on risk-based projects. Even if limited to SOX projects/engagements, getting involved with assessment, design or rationalization of controls, areas that require more judgment, will be more valuable that strict documentation and testing.

Finally, while it is not directly risk related, developing deep subject-matter expertise in in-demand skills can be a means of getting a foot in the door. If your are bringing badly needed skills sets in technology, technical accounting , data analytics or banking regulations, a hiring manager might consider your risk-oriented audit learning curve a worthwhile tradeoff in return for the skills and knowledge you bring to the department.

During The Interview

In an interview, it is important to acknowledge what you do not know. Hiring managers and directors are sometimes willing to take on a candidate with a known learning curve it the candidate acknowledges and understands what they do not know and what they need to learn. It is a big red flag, however, when a candidate does not seem to understand what it is that they do not know. Plus, it you have pursued some of the steps above, you will at least be able to demonstrate that you have taken positive action to increase your knowledge and make yourself conversant.

It could also be of value to develop some sample Audit programs for risk-oriented audits. This could help demonstrate both your interest and aptitude to a potential interviewer.

Finally, It is essential to demonstrate strong business acumen. Understanding the business is the key to risk-oriented auditing, as only from that perspective can we make true judgments about risks and their potential impact. Whether interviewing as an external or internal candidate, if it is important to go into the interview demonstrating that you have a fundamental understanding of the business. To prepare, candidates should read everything they can about the company for which they are interviewing, and familiarize themselves with the industry. Even if you are not changing industries, bring yourself current with what is happening now. The world is in constant flux, and odds are strong that your business is changing. Then, prepare yourself to address questions about potential risks and their impact. Being able to demonstrate this kind of knowledge will significantly increase your prospects.

Plan B

If you determine over time that you have not been able to make a successful transition, you might consider an initial move into the business or IT. Working in a business unit or in IT may allow you to develop deep subject-matter expertise that may eventually facilitate your move into Audit, as interviewee noted, “business + SOX is better than just SOX experience.” Of course, it is also always possible that having moved into this new area, you may decide you do not want to move into audit after all.

This article was written by Todd Weinman, President and Chief Recruiting Officer of The Weinman Group, and Executive Search Firm specializing Audit and GRC.