SOX education: How to enter the field

Judging from the numerous responses to my column Tips toward surviving a SOX audit, readers have three main questions related to the Sarbanes-Oxley Act:

How does one get into the IT auditing field?

Is there still a SOX market for independent security auditors?

What about risk analysis?

Companies are in the process of restructuring how they will satisfy external auditors’ requirements. In the beginning, companies simply followed everything their external auditors demanded for fear of not being SOX-compliant. When the bills started coming in, firms began taking steps to halt the revenue bleeding. Shellshocked from paying millions of dollars to external auditors and internal contract SOX auditors, many companies are hiring their own SOX-trained IT auditors to supplement their internal staffs, which focus on financial controls.

There are several steps interested parties can take to get into the IT auditing field. Education, certifications and field experience are critical. Become a member of the Information Systems Audit and Control Association and purchase training materials for the Certified Information Systems Auditor and Certified Information Security Manager certifications. The tests are given twice a year – June and December – and you will need to set aside time to prepare for them. The tests cost $495 each and require a 75% score to pass. Once you are certified, there are two ways to enter the field: work as a contractor for experience or work for companies willing to train you. Remember, the more experience you can couple with your certifications, the more valuable you will be to potential employers.

Is there still a market for independent security auditors? Absolutely, but you must offer more services, such as writing policies, procedures and guidelines; risk analysis; and remediation. Some companies hire minimally experienced auditors to save money. Hiring by cost is really a roll of the dice, as many independent security auditors can talk the talk but cannot walk the walk. How ironic that just two years ago only the best and most expensive were in demand.

Risk analysis is becoming important in an effort to mitigate the potential for damage caused by poor controls. This appears to be a field many large, independent CPA firms, with their own loyal client bases, are moving into. The public wants assurance from the companies they deal with that their personal data will not be compromised. Companies of all sizes need in-house staffs or consultants to ensure they don’t end up in the news because of data tampering leading to ID theft.

If you’re interested in getting into the IT auditing field, now’s the time. The demand for highly trained and specialized individuals is high – companies cannot afford the appearance of not safeguarding their customers’ personal data.