Expert: Don Sadler - 7/24/2009

Question
I don't have an IT background nor have I ever worked in IT, but I have passed the December 2008 CISA exam.  I aced the dreaded chapter 5 section of the test, which accounts for 30% of the total score & I found chapter 5 to be the easiest of the 6 sections of the exam.  I plan to take the CISSP exam either in December 2009 or in June 2010.  I have worked in finance down on Wall Street since 1993, but I am leaning towards an IT audit career in PCI & HIPAA.

What should be the next steps that I should be taking to enter the IT auditing field?  What types of positions are most compatible to my current qualifications and what can I expect to be asked on interviews & salary compensation?

Thank you for taking my question & your time!


Karl

Answer
Karl,

You have a made a good choice.  Both PCI and HIPAA will be hot for a long time; especially HIPAA given the stated national objective of a unified health care information system.

First, you can find salary information here http://crum.pl/ju6 and a simple search will provide many other similar sites.  

With your finance background, you will likely already be somewhat attractive from a security standpoint.  All of auditing is ultimately tied to finance… if the issue is not material (beneath some arbitrary monetary threshold), it will not be audited.  If you have passed the tests, then you have a foundational knowledge of the industry.  You can expect a number of different types on interview questions and if you look at my previous answers you will see a number of interview questions I have shared.

Basically, though, you will do well in any interview if you focus on the fact that auditing is truly nothing more than comparing ‘what is’ to ‘what should be’.  In many cases, you will find that ‘what should be’ has never been documented and that would be your first finding.  Without some standard against which to audit you would seek other industry standards or best practices (COBIT, for example).  Comparing what is to what should be will vary depending on the issue involved and the system or process under review.  That said, it all boils down to the simple comparison previously stated.

Without the industry experience, you will probably seek an entry level position… one of the major CPA firms (Price Waterhouse, KPMG, etc) would be good – they will work you hard but in two years you will get great exposure to various systems and industries and the two years with one of those firms will do wonders for your resume and marketability.

Speaking of marketability – you should do some searches and try to identify the major software applications that provide access control, HIPAA & PCI compliance… there are many firms that specialize in these areas and reading through the educational material on their websites will give you insightful knowledge that will serve you well in interviews.

Hope this helps.