25 years is a long time to have been placing Technology Auditors – so long ago that back then we used to deliver resumes to our clients via carrier pigeon. The profession was still in the relatively early stages of its progression. The Big 6 (as they were called at the time) were just beginning to develop IT Audit/Security practices, and had not yet become the major feeder for the profession, so many technology auditors transitioned into the profession from operational roles in IT. IT Auditors (or EDP Auditors as they were referred to at the time) were an odd lot, and not allowed to sit at the same lunch table with the “real” Auditors, and they seldom if ever would work together on an audit at the same time.
In the 2000s, along came a little thing called Sarbanes-Oxley (otherwise known as the Full Employment Act for the Internal Audit profession). The arrival of SOX marked a swing of the Internal Audit pendulum back towards compliance. By this time, the Big 4, and other public accounting firms, had developed thriving IT Audit/Security practices, and these practices had become the primary path into the profession. The combination of those two events marked a fundamental change for the typical IT Auditor entering the field. Instead of coming directly out of IT, much more often IT Auditors were entering the field with experience in nothing more that SOX and ITGC testing. I started referring to this as the Big 4 IT Audit generalist skill set – a mile wide, but not very deep, and check-list heavy. At the same time, Internal Audit departments, and Internal Auditor skill sets, had started to become much more integrated, with less clear differentiation between what was an IT Auditor versus an Internal (financial/operational) Auditor.
Return of the technical IT Auditor:
Over the past several years, however, we have noticed an unmistakable move by Internal Audit departments to attempt to hire IT Auditors with deeper technical backgrounds and skillsets. The reasons for this seem obvious. After witnessing dozens of major information security breaches, not to mention the tampering of a national election, cyber-risks are at the forefront of any Boardroom discussion, far outweighing the risks posed by controls over financial reporting. At the same time, the technology paradigm has steadily shifted away from in-house centralization to doing business in the Cloud.
This shift has resulted in the need for a new (or perhaps old) type of Technology Auditor, one who has the ability to understand technical/cyber issues on a much more detailed and granular level, as well as one more focused on risk and less on check-list compliance (though IT compliance is still a major area of attention). In the financial services space, Examiners have also played a role in demanding that IT Audit functions increase their technical aptitude. John Steensen, a Senior Director of Technology Audit at Visa noted [of their move to a more technical skillset] that “the payback has been great – our audits are deeper, more insightful, and address technical issues at a deeper level than ever before.”
The move to the Cloud has also necessitated further evolution of the IT Audit skillset. Ronnie Dinfotan, VP of Information Technology Internal Audit for First Republic Bank in San Francisco points to the need for a more data-savvy IT Auditor. He noted that, we used to be able to “run a few security vulnerability analysis tools on an internal network” and within a few hours have comfort with network design, the control environment, and how the security team is performing. “It’s much more difficult today, with cloud computing environments in the mix.”
We first started to notice this trend perhaps three years ago when one of our large financial services clients asked us to start recruiting candidates coming out of IT or Information Security. At the time we thought perhaps this was a one off. Now, there is no mistake that this is clearly the way the profession is moving. Looking back at our Technology Audit searches for 2018, 80% of our clients requested some degree of hands-on operational IT experience (sys admin, DBA, security engineer, software engineer, etc.), and it was a hard requirement on 40% of those searches.
Talent gap:
Unfortunately, the move to more technical IT Auditors has not been mirrored by the availability of that skillset in the market place. In fact, just the opposite. We have seen over the past few years a dramatic expansion of the cybersecurity profession, not to mention IT risk, IT compliance, and data science – all of which are aggressively recruiting from that same talent pool, often with much more attractive compensation packages. And while the Big 4 and other public accounting firms have diversified their practices since the early 2000s, they are still not turning out an abundance of highly technical IT Auditors.
Consequently, Internal Audit departments who desire to recruit from this talent pool need to be prepared to move quickly and aggressively, be able to clearly articulate their value proposition, and be prepared to pay a hefty price tag. A highly technical IT Auditor is not going to fit within your typical Internal Audit compensation structure; be prepared to pay that individual as if they were a Senior Manager or Director.
Other challenges with the technical IT Auditor:
Finding technologists open to working in Technology Audit is not the only challenge. Some companies find that it can be difficult to train a technologist to have an auditor/risk mindset. Dan DerGarabedian is Managing Director, Head of Information Technology and Data Audit at BNP Paribas USA. He noted, “for me, it is more important for someone to have a solid understanding of key IT controls…and the ability to evaluate the design of the controls…than to have a very technical auditor that doesn’t grasp the concept of controls.”
Another challenge is to keep these technical resources stimulated. DerGarabedian added, that it can be “quite challenging to hire ‘experts’ full time, when we only audit specific technical areas on a cyclical basis,” and further noted that it can be a challenge to get them to perform more mundane tasks like documenting workpapers. This can be an even more significant issue for smaller Internal Audit departments, where those highly technical audits may make up an even smaller part of the audit schedule. Is that highly technical resource going to be excited to spend a third to half of the year on IT SOX testing?
The challenge for those already in the field:
For those Technology Auditors who are already in the field, and who have not come out of IT, I suspect there will be increasing pressure to further develop one’s technical skillsets. One approach is to start asking your leadership to send you to more technical training; instead of only attending the typical Audit conferences, start attending IT or cybersecurity-focused training events. In other words, go to the source and get your training where the technologists do.
One can also build technical competency with online training and various technical certifications. For those who favor a classroom setting, there are increasing number of offerings at universities and colleges. One doesn’t need to pursue an entire degree program, or a hefty price tag, as an increasing number of relevant offerings can be found at community colleges for a very reasonable investment.