Expert: Don Sadler - 8/1/2009

Question
Hello,

I have worked as a network engineer for the past 15 years doing operations, implementation and engineering of data networks. I have spent my career primarily in the financial services industry and, now, am looking to transition out of network engineering. I would like to be able to bring my 15 years of IT experience (in the financial services sector) with me in this transition and have been interested, for some time, in IT audit.

I have been advised to pursue the CISA certification and am doing this in hopes of opening up some doors as well as to help get myself acclimated to a whole different way of thinking. Of course, this isn't the best job market to try a career transition and I am wondering the best way to market my network skills in the audit world. It would seem, so I was thinking, that, for lack of a better way of saying it, I have something people may want (an understanding of how network devices work, react, etc.) and others have something I want (an understanding of audit standards, SOX, SDLC, CMM, etc.) How the twain shall meet is the question? Would it perhaps be a good idea to offer my services to review network devices, logs in a consulting capacity as a way in to the audit world in return for a position where I could be trained in those areas where I am currently not up-to-speed?

I would greatly appreciate any advice, suggestions, directions, etc. you might be able to offer in terms of what it would take for me to pursue this avenue of career transition and, further, whether it is one that makes sense considering my background as described above.

Thanks for your time - it is greatly appreciated!

Robert Dauman

Answer
I believe you underestimate the value you would bring to any audit shop.  In almost every audit department I have seen, the auditors who have a CISA have a far more theoretical or academic knowledge than a practical knowledge. They are typically the ones who do network audits because, presumably, they will be able to better communicate with the IT folk who run/manage the networks and related IT infrastructure.  Even so, they seldom are granted access to thoroughly conduct a N/W audit so they must compartmentalize their inquiries and work in concert with a reluctant IT person who takes their questions, runs the reports, and also helps them understand the results.

Where you value lies is in the ability to ask the right questions, intuitively understand the methodologies/limitations involved in obtaining the results of the inquiries and be able to interpret the results without much assistance (trust me, despite your experience, you will encounter bizarre situations and one off systems where you will need some help).

Getting the CISA certification is a smart move – follow that by some general reading about auditing in general.  Bear in mind, though, when the smoke clears, auditing is nothing more than comparing ‘What is’ to ‘What should be’.  For example, if the IT security policies say that adds, changes, and deletes (of users) must be authorized by a signed add/change/delete request form and that only department heads can sigh them… that is the ‘What should be’…. Your audit test would be to take a sample of (or all of) the add/changes/deletes for a given period and review each action to see if it has the required form.  Compare a user list to an employee list…

What I am saying is that the auditing part is not rocket science despite what people might say.  Find some ISACA manuals, some IIA literature (even a review book for the CIA exam) and read/understand the general audit approach.  I would further suggest that much of the work you did in IT was of an audit nature although you may not have called it that.  You can enrich your resume by stating that you have been performing operational IT or N/W audits for X number of years including access control, change control, firewall security, etc.

One final quality you have (which I also have and it has been invaluable) is that you do not bring an ‘audit mindset’ to the job… rather, you bring an ‘operational mindset’ to the job and will help with your audits since, unlike most auditors, you will not be looking for a ‘gotcha’ moment when you discover a single mistake out of hundreds of transactions or actions and try to make a big deal out of it.  You will understand the difference between what is material (important) and what is not.

You should seek a position in internal audit at your own company or another.  If unable to do that, at least meet with the director of audit and express your interest in making a career change and offer your assistance as a ‘guest auditor’ for specific engagements.. get the arrangement sponsored by your executive and have some fun – it all makes you more marketable for when you decide to make a formal move.