230 likes | 365 Vues
Career Development for IT Auditors Wednesday, May 9 North America CACS 2012 Derek Duval, CPC Duval Search Associates www.duvalsearch.com derek@duvalsearch.com. Forces Affecting the IT Assurance Market. Economic conditions are improving; uncertainty remains but positive momentum is gaining.
E N D
Career Development for IT AuditorsWednesday, May 9North America CACS 2012Derek Duval, CPCDuval Search Associateswww.duvalsearch.comderek@duvalsearch.com
Forces Affecting the IT Assurance Market • Economic conditions are improving; uncertainty remains but positive momentum is gaining. • Compared to general employment trends, IT Assurance careers have stayed much stronger than average. • Management’s view of technology as area of increased risk. • IT Assurance professionals have more visibility with multiple stakeholders. • Organizations continue moving further away from hierarchical structures to more “level” models. • Technology Paradigm Shift – Cloud, Mobile, Social Networking • The Aftermath of SOX.
What This Means for You • IT Assurance is a very stable, diverse, and therefore desirable field • As more talented people are drawn to the profession, the bar continues to get higher. • Old: “How do I get out of audit?” • New: “How do I get in?”
Sox Descriptors • Checklist • Structured • Black and White • Overly focused on Financial Risks • Repetitive • Straight forward • In the box
Audit Descriptors • Risk-based • Creative • Many Shades of Grey • Persuasive • Business Savvy • Value Focused • Must answer the question: “So what?”
The Essential IT Assurance Skill Set • Relevant Technical Skills • Deep Understanding of Audit/Assurance Methodologies, Regulations, etc. • Business Savvy - Industry Knowledge, and understanding how IT enables organizational success • Interpersonal Communication Skills and Emotional Intelligence • Credentials
Technical Knowledge: Core • General Controls and Application Controls Review experience in client/server (e.g., Windows Network, Unix) environments • Common e-commerce and Web-based application architecture • ERP (Enterprise Resource Planning) packages such as SAP, PeopleSoft, Oracle • Mobile Devices/Applications
Technical Knowledge: Emergent and Highly Valued • Technical O/S & Security Reviews (especially Unix, Linux, ERPs) • Oracle DB, other large databases • IT Audit/Security of Cloud Computing (SaaS, IaaS, PaaS) • CAATs - Data Extraction and Analysis (ACL, IDEA, SAS, SQL, etc.) • Continuous Monitoring/Continuous Auditing
How Do You Enhance Your Technical Skills? • Attend training. • Find a mentor. • Request assignments that stretch your skillset. • Internet Resources: audit sites, blogs, social networks (e.g., LinkedIn groups). • Back to School (Local University, Community College, Online Courses). • Build a Network in your home. • Bottom Line: Don’t depend on your employer to train you.
Business Knowledge • Thorough understanding of legal, regulatory & compliance issues specific to your industry: e.g., HIPAA, PCI/DSS, SOX, SSAE-16, Dodd-Frank… • Are you an “industry insider”? Do you know where your company’s stock closed yesterday? Major Initiatives? Standing vs. Competitors? • Who are your customers, and what do they want? • Goal is to be able to relate technical control/risk issues to core organizational objectives/mission.
Linda Kostic(ISACA Journal, Vol. 1 2010) “In the beginning, computer systems and networks were not complex, resulting in less training and understanding of technology concepts, and minimizing the audit preparation and execution time. Now, an IT Auditor must have the skills to evaluate complex systems and networks, and identify potential compensating controls in areas outside of the scope of the audit. And, since technology merely automates the business processes, it is important for IT Auditors to expand their background to include financial and business processes specific to their organization as well as potential external factors, in order to fully understand the risk exposure.”
IT Assurance “Soft Skills”:Communication Savvy and Emotional Intelligence • The Goal (of course) is to communicate confidently and competently with people at all levels in your organization • Our communication flows from 2 things: • Knowledge • Attitude • Build Trust by demonstrating knowledge, focusing on common ground, doing more than is expected, and delivering what you promise
Enhancing Communication Skills • Become “Business Bilingual”: Communicate technical risks to non-technical business leaders, and describe business risks to technical personnel. • If you become a translator, you are empowered to negotiate and mediate the differences between “technical” and “business” leaders. • Improve by seeking constructive feedback from supervisor, mentors, peers. • Role-play to focus on specific areas for improvement, and to prep for important meetings.
Certifications and Degrees • The CISA certification is now essential for IT Audit & Assurance professionals. • CISSP • CIA, CPA • CISM, CIPP, CRISC, CGEIT, CFE • The importance of a completed 4-year college degree • Advanced degrees: MBA, MS, Masters in Accounting – how to decide?
Duties • Scheduled and conducted meetings; developed and maintained client relationships; documented issues and presented recommendations. • Identified and evaluated control weakness within the client’s computer environment, and formulated strategies for remediation of process deficiencies. • Planned and led UNIX, Windows, AS/400, and Oracle database general computer control reviews.
Duties into Impacts • Assessed availability, security, and replication settings of Sybase Data servers. • Assessed availability, security, and replication settings of Sybase Data servers, successfully identifying the 35 (out of 210) most relevant Sybase configuration settings to test across 20 servers in 4 days (2 days ahead of schedule).
Duties into Impacts • Examined security settings for 2 Microsoft IIS Web Servers to identify potential security vulnerabilities. • Examined security settings for 2 Microsoft IIS Web Servers to identify potential security vulnerabilities; recognized settings which posed a threat to the security of critical web-based applications that deal with at least $10 million daily.
Impacts • Established a third-party security program to manage and assess security risks of over 200 vendors based on risk profile of vendors. Program was recognized by the CEO for its alignment with business and raising the security awareness of the organization business partners. • Performed assessments of Oracle EBS setups / configuration reviews and advised management of ways that the system could be used to automate processes and be less dependent upon IT Dependent Manual controls. One recommendation of moving from an IT Dependent Manual control to an automated control is predicted to save more than $100K over the course of 4 years.
Impacts • Played a key role in implementing and improving IT processes and procedures in response to numerous open audit and regulatory findings which resulted in a $110K savings in audit fees and no negative audit findings or penalties since inception. • Rationalized SOX IT control structure resulting in 75% fewer control activities and creating efficiency gains resulting in elimination of third-party fees and reduced administrative burden to support ongoing compliance activities.
Summary • Focus technical competencies in Unix, Network Security, ERP (SAP, Oracle, or PeopleSoft), CAATs (ACL), Cloud and Mobile technology deployments. • Educate yourself in relevant legislation, regulations, methodologies (PCI, HIPAA, IFRS, CobiT, etc.) • Become “Business Bilingual” – translate technology risks into business language. • Seek Training. Get Certified. Take responsibility for your own professional development. • Ensure continued relevance and success by focusing your career on Impacts rather than Duties