|
Hello BFC goons, and welcome to the new thread on Auditing, Consulting, SME's, and Advising. Mods, if you think this would be better suited for Ask/Tell, please relocate as necessary. I used to have the handle Handbanana125 and last week, it seemed a bunch of people were receptive to the idea of starting a thread based on this topic. My experience in the field(s) of consulting and advising is rather limited at the moment (only 3 years), but I've had some really amazing chances to meet with some highly influential people in the field and use their knowledge to supplement my own and get some really great viewpoints. If anyone else has some knowledge they'd like to share in this industry, across all fields, please feel free to add! As I said, my posts will mostly be from a small-business/internal advisor point of view, so alternate approaches would be awesome. What is this all about then? A lot of posters have to deal with external consultants/auditors in their day-to-day work. This is probably most true for people in mid- to high-level corporate positions or who work in any industry with significant amounts of regulations or project turnovers. This thread is to hopefully open a discussion on how this stuff affects businesses, what it's worth in a large-scale sense, and maybe even a little info on how to break into the field. So what do you do? My official title is IT Auditor for a Fortune 500 company. We are considered one of the Internal Audit departments in the Finance/Insurance field, and have taken steps to completely rework what an Audit Division does to add value to a company. My responsibilities are mostly internally focused, but I do have to assist external consultants with their assignments and I am on occasion loaned out to subsidiaries or vendors for special projects. About 10% of the time, I sit around and make sure that our internal policies are in compliance with all sorts of Government Regulations. This is pretty much the "auditing" part of my job. About 30% of the time, I follow up on a huge mess of projects that my company has going to make sure they're all on track and not in danger of imploding. The rest of my time is spent going around to different business areas within my corporation and its subsidiaries, and helping them plan, update, rework, or otherwise breakdown their processes and workflows in order to improve them or to otherwise make them "better". Make with the Consulting bit. As a side job, I advise small business owners in my city on the basics of information/financial security for their payment and billing systems. It's a really huge thing for small merchants to keep themselves risk-minimal when dealing with stuff like credit card payments, payroll, and structured payments, as one slip up could potentially see them shut down. I work with a loose group of similar free-lance professionals in this field and we are attempting to make some kind of professional organization around better business practices in our city. In addition to my freelance work, I also contribute to a couple of professional groups that focus on PCI, IT, and Process Management practices. Currently, I'm contributing (on a local level) to a group called the Infraguard, which is pretty exciting. I will post about this if it becomes applicable, but I can't say a whole lot. Please note that this thread is very much under construction. I will be filling out a couple more posts as the day goes on. Please post your comments, questions, or whatever you feel could possibly add to the conversation! Immanentized fucked around with this message at 13:39 on May 29, 2014 |
#
?
May 28, 2014 16:17
|
|
|
|
| # ? Apr 25, 2024 16:08 |
|
|
What is Auditing All About The purpose of any audit is to determine whether or not your system is operating within the controls and framework it exists within and that it produces results that are more or less in sync with your company's objectives and expectations. Most audits are based on substantive testing; where the auditor goes around to various Subject Matter Experts or Process Owners for items within scope and obtains evidence, and testing material for them before carrying out independent tests. There are many different types of audits carried out across every industry. Most of you are most familiar with Financial Audits, like the types carried out by banks or the IRS, those of you in project management might be aware of quality audits, some of you know about energy or compliance audits. Basically if it effects the company's bottom line and adds value to the company, there is an audit to measure the overall effectiveness of any process. I'm going to do a very, very brief and horribly simplified survey of the origins of independent auditing and a couple of key recent events. I know these are sweeping generalizations and I will flesh them out in later posts if requested. A Little History, Compressed for Brevity Auditing as an independent industry got its start in the UK in 1845 when William Deloitte scored a job with a major railway company to keep its books in order. You may recognize the name DeLoitte as being the key part of Deloitte, Touche, Tohmatsu Limited, one of the so-called "Big 4" audit firms. When William opened his first truly independent office in NYC 35 years later, he basically kicked off a huge (and often controversial) industry of external independent auditing. Auditing in the U.S.A. Most of the posters on here are old enough to remember the implosion of Enron way back when. There's a book dealing with the fine details of the whole mess called "The Smartest Guys in the Room" that I would recommend for a survey of what went wrong, but I'm going to focus on the external fallout here. What most people are unaware of is that Enron had a lot of external help in cooking its books throughout its decline. A company named "Arthur Anderson" was contracted by Enron to audit its financial records and ensure that everything was on par. To put it briefly, they hosed up big. After Enron went under, AA voluntarily surrendered their license to perform financial audits and was prohibited from performing any accounting services in the US. It was a HUGE deal, and the audit industry as a whole suffered a significant blow from the fall-out. 2002: Restructuring of the industry, Standards, and New Regulations In 2002, as a direct result of the collapse of Enron and a number of other large companies, the Sarbanes-Oxley act was passed, focusing on regulating and assigning new laws and increased accountability to Public Companies and Public Accounting (read: audit) Firms. This was a huge change as it was a complete shift in how many major corporations operated and it introduced a controversial, but effective way to regulate massive companies and exert some government control over financial practices. I'm not going to go too far into this here, but there is a lot of love-hate still going around on the S-OX Act, and it's pretty interesting to see where the reactions come from. More Changes Ahead At the moment, the SOX act is the baseline for most large enterprises, and the SOX 404 is still generating a fair amount of concern regarding the fairness of the Act's measures. Most recently, the Dodd–Frank Act introduced the largest set of changes to financial regulation since SOX, and the Durbin Amendment was a neat piece of legislature that generated some interesting fallout in the payment processing industry. Note: I want to work on this section a bit more, so I would appreciate if anyone with experience can send me suggestions or corrections. Immanentized fucked around with this message at 13:54 on May 29, 2014 |
|
#
?
May 28, 2014 16:18
|
|
|
External Consulting Pending full rewrite. If anyone wants to take this over, shoot me a PM to be built out after meeting with E&Y contact Immanentized fucked around with this message at 17:33 on May 28, 2014 |
|
#
?
May 28, 2014 16:18
|
|
|
I work at a utility and dealing with FERC and NERC audits is the best (OK not really). The good news is I passed mine last month. It is very interesting process though. Sitting down and getting asked where all the documentation is and having to prove it. It can be kind of nerve racking when you are trying to find something you know you saved. Kind of related I have been dealing with out lawyers as a result of an accident that I helped on after the fact. I have been signing a lot of documents saying I saved my files here, didn't delete anything, etc. I am glad I am a PE but I am hopeful I don't have to go to court.
|
|
#
?
May 29, 2014 00:12
|
|
|
I wish I was a real SME with the knowledge and compensation that entails, but in actuality I don't have any important knowledge and I'm responsible for telling my co-workers how to perform basic work tasks they should already know how to do. It's just a bullshit title the corporation I work for piled on me. I'd like to hear what things actual subject matter experts do in their fields.
|
|
#
?
May 29, 2014 12:28
|
|
|
spwrozek posted:I work at a utility and dealing with FERC and NERC audits is the best (OK not really). The good news is I passed mine last month. It is very interesting process though. Sitting down and getting asked where all the documentation is and having to prove it. It can be kind of nerve racking when you are trying to find something you know you saved. I was going to get into the documentation side next, so thanks for that segue. The deal with a lot of companies is that they automatically build in an "audit" module to their systems and processes. One of the things I'm really thankful for in my company is that we use a tool called "Certus", which is a dedicated S-OX compliance piece of software that allows folks such as your self to automatically store, and sort key documents and policies according to laws they pertain to. I haven't dealt dierctly with FERC, but I am familiar with the OCC, and getting audited by the Feds, no matter how routine- always kinda freaks me out. One of the really cool things of the past decade is the increasing utilization of audit and compliance efficiency software suites. These are usually relatively simple programs or scripts that can be slapped onto many existing networks and save Business Area Owners/SME's, and the like hundreds of hours each year when it comes to compliance time, and cuts down on the overall infrastructure required for document retention and all that other pesky stuff. Another huge deal has been the importance of Business Information Management, and Business Continuity Planning. When I say that the fall of Enron and the S-OX act changed the entire concept of what corporate audits were supposed to do, I really cannot stress just how significant and fundamental the change has been in the past 12 years. Immanentized fucked around with this message at 18:50 on Jun 2, 2014 |
|
#
?
May 29, 2014 13:53
|
|
|
This thread could be fun. I'm an internal EHS (environmental, health and safety) auditor with a fortune 500 energy company. I am the corporate SME for air (clean air act mostly) compliance. I love auditing. People look at me like I'm crazy when I say that, but its a constantly challenging environment. I'm not always everyone's favorite person to see, but discovering gaps in compliance and compliance systems is massively rewarding.
|
|
#
?
Jun 1, 2014 15:40
|
|
|
External (performance) auditor here. I've only been doing it for a few months, but It's really fun so far. I'm never anyone's favorite person to see.
|
|
#
?
Jun 1, 2014 15:58
|
|
|
Sarern posted:External (performance) auditor here. I've only been doing it for a few months, but It's really fun so far.  Kidding aside, external types do extremely thorough jobs, and make the internal job so much easir. The only complaint I've ever had with external folks was when a big 4 company came through, completely dropped the ball on all aspects of a project and didn't own up to anything. To be fair, it was a 100% new office and all of them were ESL's. Any big projects yet or are they easing you into it? oxsnard posted:I love auditing. People look at me like I'm crazy when I say that, but its a constantly challenging environment. I'm not always everyone's favorite person to see, but discovering gaps in compliance and compliance systems is massively rewarding. Share some stories, if you don't break any NDA's! I too love my job but I don't want to clutter my own thread, love to have you or Sarern talk a bunch about your own experiences! Immanentized fucked around with this message at 14:53 on Jun 9, 2014 |
|
#
?
Jun 2, 2014 18:48
|
|
|
Heh right in the middle of a crazy audit prep week. I'll type up some stories this week.
|
|
#
?
Jun 3, 2014 00:20
|
|
|
Immanentized posted:
I'll try to think of some, but 1) I've been doing this for only a few months and 2) my confidentiality rules are insanely strict. Hearing that a big 4 company rolled in, dropped the ball, and didn't own up doesn't surprise me. So far I'm getting the impression that the better external performance audit shops report directly and only to whatever the oversight body is. edited for clarity
|
|
#
?
Jun 3, 2014 00:49
|
|
|
Immanentized posted:External Consulting Are you trying to do this about just accounting style consulting or strategy consulting? I think the capitulator, pissingintothewind, or sogol could talk about the latter.
|
|
#
?
Jun 7, 2014 05:38
|
|
|
I'm starting an auditing gig with a Big 4 firm in a little over a month. I'll be starting out on standard control testing and SSAE 16 engagements, but I'd like to branch out into a more consulting type job at some point - it just seems more fun to help build an IT system that is effective and compliant from the start instead of coming in and saying "well everything seems good except for the 10 different employees with superuser access that was never approved or reviewed." I did an internship a few years back during the IT "busy season" to prep for the real financial busy season and had a great experience. I worked closely with internal auditors on a couple of clients. The main problem I had with them was lack of effective documentation. I could tell they did their work, but it was a bitch to sort through workpaper sets that would randomly change reference formats and include screenshots with no explanations. That problem wasn't limited to internal audit though; I picked up an associate's unfinished controls after they rolled off an engagement and they had, for some reason, decided to do their documentation in a completely different format than everyone else on the team. Random font colors, fonts, and evidence references everywhere. Terrible. As I get closer and closer to my start date, I've realized my knowledge of the business world is sorely lacking. I'm going to start skimming more BFC threads about finance and such, but currently my only major site for auditing news is Going Concern. Does anyone have any reading recommendations I should check out? Books, blogs, newspapers, etc. Anything works.
|
|
#
?
Jun 7, 2014 11:31
|
|
|
Democratic Pirate posted:
I'd never seen this website before. I'm surprised you saw such a variety of workpaper sets and referencing - at my shop they're very strict about having one way to reference/do documentation/what colors mean. In the meantime, we just had 3 new sub-objectives added to my audit. The one where we were supposed to be done with fieldwork in two weeks 
|
|
#
?
Jun 7, 2014 13:07
|
|
|
Democratic Pirate posted:I'm starting an auditing gig with a Big 4 firm in a little over a month. I'll be starting out on standard control testing and SSAE 16 engagements, but I'd like to branch out into a more consulting type job at some point - it just seems more fun to help build an IT system that is effective and compliant from the start instead of coming in and saying "well everything seems good except for the 10 different employees with superuser access that was never approved or reviewed." I did an internship a few years back during the IT "busy season" to prep for the real financial busy season and had a great experience. I worked closely with internal auditors on a couple of clients. The main problem I had with them was lack of effective documentation. I could tell they did their work, but it was a bitch to sort through workpaper sets that would randomly change reference formats and include screenshots with no explanations. That problem wasn't limited to internal audit though; I picked up an associate's unfinished controls after they rolled off an engagement and they had, for some reason, decided to do their documentation in a completely different format than everyone else on the team. Random font colors, fonts, and evidence references everywhere. Terrible. It can be very difficult to switch from the assurance department to the advisory department, which is where you'd do IT implementation and such. It only gets tougher the longer you're in. If you're not in love with your particular b4, the easiest way would be going to another.
|
|
#
?
Jun 7, 2014 13:16
|
|
|
Sarern posted:I'd never seen this website before. Associates on my internship told me to check it out - I would read it in the morning before starting the day to see if anything newsworthy happened. Definitely not a professional site with analysis or high-level reporting.
|
|
#
?
Jun 7, 2014 17:45
|
|
|
Democratic Pirate posted:I'm starting an auditing gig with a Big 4 firm in a little over a month. I'll be starting out on standard control testing and SSAE 16 engagements, but I'd like to branch out into a more consulting type job at some point - it just seems more fun to help build an IT system that is effective and compliant from the start instead of coming in and saying "well everything seems good except for the 10 different employees with superuser access that was never approved or reviewed." I did an internship a few years back during the IT "busy season" to prep for the real financial busy season and had a great experience. I worked closely with internal auditors on a couple of clients. The main problem I had with them was lack of effective documentation. I could tell they did their work, but it was a bitch to sort through workpaper sets that would randomly change reference formats and include screenshots with no explanations. That problem wasn't limited to internal audit though; I picked up an associate's unfinished controls after they rolled off an engagement and they had, for some reason, decided to do their documentation in a completely different format than everyone else on the team. Random font colors, fonts, and evidence references everywhere. Terrible. I was in your position when I worked at a big 4 doing IT audits and SSAE16 engagements. I came from IT background and got lucky getting a job right around 2009. I took the offer because there was nothing else out there. I stuck with it for two years before moving on. Check out http://retheauditors.com/ too. Definitely read up the previous year's report when you get assigned. Section 4 helps in understanding the client's business.
|
|
#
?
Jun 7, 2014 22:21
|
|
|
charsiu posted:I was in your position when I worked at a big 4 doing IT audits and SSAE16 engagements. I came from IT background and got lucky getting a job right around 2009. I took the offer because there was nothing else out there. I stuck with it for two years before moving on. Check out http://retheauditors.com/ too. Definitely read up the previous year's report when you get assigned. Section 4 helps in understanding the client's business. Gonna add that link to the OP, thanks for the heads up. Also want to say that leveraging the previous audit (if any) of a given system or business area should always be the best starting point. It saves a ton of work in the planning phase, and if you can identify any deficiencies in the testing, you can work that into a positive review point come evaluations. semicolonsrock posted:Are you trying to do this about just accounting style consulting or strategy consulting? I think the capitulator, pissingintothewind, or sogol could talk about the latter. Both actually, if anyone with this experience wants to contribute, I'll quote their posts in that tab. Does anyone else seek out non-audit industry certifications? I'm working on a CISSP myself, was thinking about one of the SANS ones next, but would love to know what the baseline, if any, is like. Immanentized fucked around with this message at 14:53 on Jun 9, 2014 |
|
#
?
Jun 9, 2014 14:47
|
|
|
So how did you get your foot in the door IT Audit? I'm wanting to get into that and passed the CISA in December, but all my experience (just a couple years) has been routine accounting for small business. Every IT Auditor I job I see is looking for at least a year of audit work, IT or otherwise. It's a bit of a bummer, anyone have any advice? Right now I'm studying for the CIA, and then maybe CISSP to show that this is something I'm pretty into. Is that an okay path to take or should I be doing something different?
|
|
#
?
Jun 21, 2014 14:06
|
|
|
N.N. Ashe posted:So how did you get your foot in the door IT Audit? I'm wanting to get into that and passed the CISA in December, but all my experience (just a couple years) has been routine accounting for small business. Every IT Auditor I job I see is looking for at least a year of audit work, IT or otherwise. I was lucky enough to find an opening at PwC right before I graduated from college. All the larger accounting firms, as far as I know, recruit direct from college. It's probably too late since each 'class' of recruits starts in the next month or so. If I remember correctly, recruiting starts in the Fall. For you, you might want to look up your local big 4 recruiters on Linkedin and see if they can be of assistance. I don't think you'll need to get any other certifications besides what you currently have. I don't recall many associates having anything beyond their CPA or CISA. Where are you located? I may be able to pass along some recruiters if you're in NYC. Actually, that reminds me that a spruced up LinkedIn profile has gotten me quite a bit of leads. I'm sure many of them weren't for the greatest positions, but it'll at least get you started in the right direction.
|
|
#
?
Jun 21, 2014 14:50
|
|
|
Auditors, what are the educational requirements for your current positions? I'm the weirdo at my office who loves running around and making sure every area is complaint for internal and external audits in various disciplines and I've been curious for a while now about being on the other side.
|
|
#
?
Jun 21, 2014 14:55
|
|
|
Bamabalacha posted:Auditors, what are the educational requirements for your current positions? My shop requires a bachelor's, and strongly suggests a master's. A couple of other shops I know require a master's. N.N. Ashe posted:So how did you get your foot in the door IT Audit? I'm wanting to get into that and passed the CISA in December, but all my experience (just a couple years) has been routine accounting for small business. Every IT Auditor I job I see is looking for at least a year of audit work, IT or otherwise. Have you looked at performance audit shops? I was at a training day in the Kansas City area recently and all of the performance shops in the area are having trouble filling associate positions. If you already have a certification of some kind you'll be ahead of everyone else applying for an associate position. At least, most people at my shop have been promoted once or twice before they even get their first certification. My shop is a performance/IT security shop, and the way to get on the IT side in our shop is to start in performance and then IT recruits internally when a slot opens. Which is what I'm trying to do.
|
|
#
?
Jun 21, 2014 23:45
|
|
|
I promised an explanation of the kind of audits I do and here it goes: As I explained above, I work for a very large energy company with diverse assets both in the USA and internationally. I am an EHS Professional - Environmental Engineer by title but work in the Corporate Auditing group. I know most of the people in this thread will tend to be either IT/Software auditors or Accounting auditors. Our company has these along with internal DOT/HAZMAT and FERC auditors. EHS in our case covers the realm of any environmental rule, regulation or permit related to compliance with Air Regulations (Clean Air Act, State Rules, etc), Water Regulations, Spill Prevention Control and Countermeasure rules (SPCC, covers oil tanks and piping near water bodies), Waste regulations (RCRA), EPCRA rules and Remediation projects. Additionally, we look at any OSHA or Coast Guard regulations that affect operations. As I'm sure you can imagine that this is a whole lot to look at, so we tend to do auditing a little differently than financial auditors would. We do not have set, checklist style protocols. I'm the Subject Matter Expert for air compliance (but will look at all of the above-mentioned rules) in our group. If I had to go through a checklist every time we did an audit, I'd waste a lot of time going over basics. Often times, the problems we find during audits are complex and a bit harder to track down. We do spot check compliance with basic permit requirements, check calculations, review checklists, etc. Many times the issue is how the facility is permitted in the first place (e.g. the permit application and associated assumptions that go into it). We also check that the faciltiy's permits and procedures are in line with company policy and that requirements are tracked appropriately using in house compliance tracking software. The reason we can audit without set protocols is frankly because there aren't generally regulatory requirements to do audits on any frequency. In that manner, we are almost like the State/EPA/OSHA inspector, but get paid industry money (read: a whole lot more) to do it. The best part of my job is that, in addition to doing the regular paperwork commonly associated with auditing, we also poke around the physical site to make sure that what's on paper reflects reality and also to look for issues not in documentation. It's pretty cool to do some industrial tourism during the audit and chat with operators about how stuff works. In addition to the general EHS audits, we do PSM/RMP audits. These audits are for facilities that handle highly toxic/explosive substances generally at high pressures. These audits ARE mandated by law in the Clean Air Act and 29 CFR (OSHA), and as such we have to follow a rigid audit protocol and use a defined sampling strategy. I love these audits too as you get to criticize and look at process engineering and process safety work without the keep-you-up-all-night stress of designing or signing off on the process systems in the first place. Finally, I do ethics (whistleblower) investigations for issues related to environmental compliance. These investigations happen every few months, and they're awful, stressful, miserable things. Important, but I really dread my name getting called for an investigation. I got into this field after a 4 year stint as a biology lab tech. Went back to night school for my masters in Environmental Engineering. Halfway through the master's I scored a job as an Air Inspector with a government agency. Got some great experience, and 3 years later, applied to work for the company I'm at now. It's a great career if you want to be challenged, constantly learn, and love spending all day telling others why they're wrong with the full blessing of your company 
oxsnard fucked around with this message at 05:09 on Jun 26, 2014 |
|
#
?
Jun 26, 2014 04:38
|
|
|
I started out doing aspects of internal IT audit co-sourcing and have transitioned to doing IT strategy and architecture advisory work at a Big 4 firm over the past decade. Happy to throw in my 2 cents as well.
|
|
#
?
Jun 26, 2014 04:45
|
|
|
General question - about how many hours do y'all work a week? I've heard with some places, especially the big 4, the idea of only working 40 hours a week is laughable. Is that true?charsiu posted:I was lucky enough to find an opening at PwC right before I graduated from college. All the larger accounting firms, as far as I know, recruit direct from college. It's probably too late since each 'class' of recruits starts in the next month or so. If I remember correctly, recruiting starts in the Fall. For you, you might want to look up your local big 4 recruiters on Linkedin and see if they can be of assistance. Thank you for the info. Out of curiosity, do you join the big 4 after your Bachelors or Masters? My friends who did go the big 4 route only were able to get in with a masters. I wish I was in NYC, I'm outside of Dallas, though sprucing up my Linkedin and contacting recruiters seems like great place for me to put more time into. Sarern posted:My shop requires a bachelor's, and strongly suggests a master's. A couple of other shops I know require a master's. Forgive me, I've not really heard of performance audit companies. Is that like Proviti or am I super far off? Really interested if these are the type of places where I can get a foot in the door.
|
|
#
?
Jun 26, 2014 12:04
|
|
|
N.N. Ashe posted:General question - about how many hours do y'all work a week? I've heard with some places, especially the big 4, the idea of only working 40 hours a week is laughable. Is that true? As far as I know, performance audits are mostly governmental. On a state level, many legislatures have performance audit shops. Sometimes there is an elected or appointed state Auditor who runs a shop. You'll get to know the Yellow book really well in one of these shops. Universities also often have internal shops, although I have been told those do more compliance audits than performance, and they often use the Red book standards. Cities above a certain size also tend to have audit shops that do performance audits. I tend to work 45 hours a week or so. Some weeks 40, some weeks 50. Most of the seniors and principals work 60 or more. In a related note, this is why my shop is always hiring - people will quit for industry to get more money or another governmental shop to get more time.
|
|
#
?
Jun 26, 2014 13:03
|
|
|
N.N. Ashe posted:General question - about how many hours do y'all work a week? I've heard with some places, especially the big 4, the idea of only working 40 hours a week is laughable. Is that true? Hahahaha. Can't speak for IT/accounting but I'm lucky if it's 40 hours while in the office (30% of the time). Weeks I'm on the road I average 60 or so.
|
|
#
?
Jun 26, 2014 14:08
|
|
|
N.N. Ashe posted:General question - about how many hours do y'all work a week? I've heard with some places, especially the big 4, the idea of only working 40 hours a week is laughable. Is that true? I had a bachelors and I believe most of the people I started with had that too. A handful did have graduate degrees. For the IT auditors in here, did you guys start your careers there? I got bored of doing ITGC testing and decided to leave after 2 years. I have thought about going back into the field if it offers a more technical side. Is there anyone who works on the more technical side of IT audits (infrastructure, SDLC, etc) that could share their experience?
|
|
#
?
Jun 26, 2014 14:30
|
|
|
I only have 4 months of internship experience with risk assurance type engagements, but I averaged about 50ish hours during our busy season. I left the office when my senior/manager did, so unless they worked from home it wasn't too bad unlike my friends in financial audits who hit 75-80 regularly. The worst part of my internship was the commute - it was normally 45 minutes in heavy traffic because I was living at home to save money. Once I move into my own place closer to the office/clients it'll get much better.
|
|
#
?
Jun 26, 2014 14:47
|
|
|
N.N. Ashe posted:So how did you get your foot in the door IT Audit? I'm wanting to get into that and passed the CISA in December, but all my experience (just a couple years) has been routine accounting for small business. Every IT Auditor I job I see is looking for at least a year of audit work, IT or otherwise. I started out as a Technical Business Analyst at a PCI company, moved to InfoSec Analyst and made the jump. I volunteered for a lot of the SAS/Logical Access testing stuff and had a really lucky break. The good news is that a lot of companies are going to expand their shops in the coming year, so keep at it. CISSP is something I'd recommend getting after you land the position. And I'm not sure how you got certified for the CISA, but that's a GREAT plus for your search. CIA is fairly useless if you already have it, and the IIA has horrible management. Stick with ISACA and run with it, maybe get the Audit certification from SANS if you can afford it. I've heard great things. N.N. Ashe posted:General question - about how many hours do y'all work a week? I've heard with some places, especially the big 4, the idea of only working 40 hours a week is laughable. Is that true? I work 36ish and supplement some time working with the Feds for the rest. I rarely break overtime even during busy weeks, though my hours are 6-330 M-T, and ~7-10 on Fridays. I also work for a really great company and go through insane fits of productivity. From quick talks with my coworkers, overtime is rare unless we get pulled into assist other audit groups. Our management is considered the best in the company and it's something that can make or break an auditor's quality of work. It all depends on your company, shop, and personal work efficiency. sink the biz posted:I started out doing aspects of internal IT audit co-sourcing and have transitioned to doing IT strategy and architecture advisory work at a Big 4 firm over the past decade. Happy to throw in my 2 cents as well. Please do, this is actually what I want to get into, but not with the Big 4. Be really happy to hear your input! charsiu posted:For the IT auditors in here, did you guys start your careers there? I got bored of doing ITGC testing and decided to leave after 2 years. I have thought about going back into the field if it offers a more technical side. Is there anyone who works on the more technical side of IT audits (infrastructure, SDLC, etc) that could share their experience? See above, I asked my manager what they'd be looking for in a general sense and the answer I got was good areas of experience to have are project management, system integration, and all that fun related experience. Knowing the fundamentals of what makes corporate software tick also helps a ton. Immanentized fucked around with this message at 15:30 on Jun 26, 2014 |
|
#
?
Jun 26, 2014 15:19
|
|
|
Do you guys do mostly paperwork auditing or does the IT/financial side do lots of interviewing as part of the audit? I've been an inspector and auditor for 4 years now in environmental and safety, so my ability do "get dirt" out of people has gotten a lot better, but I've got a ton to learn still. Anyone take any courses/seminars to practice and get better at interviews?
|
|
#
?
Jul 1, 2014 04:28
|
|
|
Here's a sort of relevant thread, because I'm sure some of you probably travel frequently too: http://forums.somethingawful.com/showthread.php?threadid=3516448 Neat to finally see a thread like this pop up and I'll be following it. I'm an IT consultant, but I suppose discussion on what I do would be more appropriate for SH/SC rather than this thread in BFC.
|
|
#
?
Jul 10, 2014 22:08
|
|
|
Finally a career thread that covers what I do! Well, sort of. I work on the darker side of the corporate auditing world: investigations. I manage investigations for a Fortune 500 into factories that fail various audits in big ways: ridiculously dangerous working conditions, double books, fraud, bribery, debt bondage, and even child labor. I can't even begin to summarize or describe what all the work entails because one day I'll be doing very technical production and supply chain audits and another day I'll be investigating a factory fire. The only issues I don't investigate are food safety and internal corruption. There really is no typical work day for me. Every day is a different level of crisis. It's by far the most fun and challenging job I've ever had. I'd be happy to answer any questions about the job (that don't require a breach of confidentially, obviously). I can talk about auditing/investigating from an ethical perspective and how my sort of audits work in various countries across the world. Saltpowered fucked around with this message at 06:02 on Jul 25, 2014 |
|
#
?
Jul 25, 2014 05:56
|
|
|
That sounds really interesting. What are your hours like? In college I had a fraud investigator come present and they made it seem like life planning could be hard because you could spend 2 months doing nothing and then suddenly have to work 80 hours/wk for 3 weeks in a random city because of a sudden investigation.
|
|
#
?
Jul 25, 2014 22:23
|
|
|
Democratic Pirate posted:That sounds really interesting. What are your hours like? In college I had a fraud investigator come present and they made it seem like life planning could be hard because you could spend 2 months doing nothing and then suddenly have to work 80 hours/wk for 3 weeks in a random city because of a sudden investigation. My hours are pretty much 700-545 five days a week with some evening and weekend crisis management. Because of the nature of the work, conducting the on-the-ground investigations myself just isn't practical. I don't speak the language, it may take me hours or days to get to the factories, 17 other terrible things might happen while I'm en route somewhere, and it isn't cost effective. Because of the high frequency of bribery and corruption in other countries, you really have to employ multiple 3rd parties to conduct the investigations. Here's a very general overview of the way an average investigation goes: I receive allegations of some sort of misconduct. The sources vary from coworkers to audits to anonymous tips to news articles. I do a significant amount of research into the allegations and the factory where they are alleged to occur. This is where the need for a wide breadth of expertise is require because I usually review everything from Health & Safety reports to production capability and local laws. At this point, I engage what I like to think of as a corporate espionage firm (Kreller is a good example) to conduct on the ground investigations. The firm conducts the investigation under my direction and returns to me all the evidence I asked them to gather. Sometimes the evidence is really clear cut (fires, health and safety, child labor, etc.). Other times its very complex (anything involving production or corporate fraud for example) and might require several days of review to come to a conclusion. Based on the evidence gathered, I'll conduct a number of interviews with responsible parties involved. These usually fall into one of two categories: Old Yeller (everyone remembers what happened to Old Yeller, right?) or Come to Jesus (fix your poo poo). It's a fun job but it's also very high stress because it's 100% crisis management. There will never be a point where I am caught up and don't have some huge investigation looming. From the moment I get to the office to the moment I leave, I am working non-stop. Investigations can drag out for months depending on all the moving pieces and I receive new allegations every day. It's a huge career field that is just now opening up at major companies across the country. If this sort of work sounds interesting to you at all, I highly recommend looking into sourcing and supply chain work for major companies. Just about any company that operates on a national or global level has some department doing this and most of them are less than 10 years old.
|
|
#
?
Jul 25, 2014 23:35
|
|
|
Lawlicaust posted:My hours are pretty much 700-545 five days a week with some evening and weekend crisis management. Because of the nature of the work, conducting the on-the-ground investigations myself just isn't practical. I don't speak the language, it may take me hours or days to get to the factories, 17 other terrible things might happen while I'm en route somewhere, and it isn't cost effective. Because of the high frequency of bribery and corruption in other countries, you really have to employ multiple 3rd parties to conduct the investigations. How did you get into this line of work ? Sounds like it would be both rewarding as well as , after a while, tiring.
|
|
#
?
Jul 26, 2014 04:35
|
|
|
seymore posted:How did you get into this line of work ? Sounds like it would be both rewarding as well as , after a while, tiring. Completely by accident. I had previously worked in business development consulting and compliance. I got a law degree (poor choice right?) and was looking for a part-time gig in between cases, so I took what I thought would be a doc review/corporate counsel staffing position. It ended up being in a corporate audit department doing EHS audit review and compliance. The investigation department was pretty new and understaffed so they pulled me in the help them catch up. It turned into a full-time position. Wasn't what I was expecting but it's the best job I've ever had. The other investigators have similarly varied backgrounds. One is a former EHS audit who has conducted thousands of factory audits, another is former military and previously did security and corruption investigations, and another worked in sourcing for a long time before being a founding member of the investigations department. Social responsibility departments in corporations are usually like that. There's no standard career path and no one there originally planned to be there. It just happened. Most of the major corps have them now (some more developed than others). It's a very new field that has a lot of opportunities if you are interested in the work. And as you said, very rewarding. You get to improve the lives of workers who may work in very bad places.
|
|
#
?
Jul 26, 2014 13:56
|
|
|
If you don't mind me asking, what's your department title and/or your job title or class? As an EHS auditor I'd like to keep my options in the future and that sounds very very interesting.
|
|
#
?
Jul 28, 2014 00:29
|
|
|
Can't really give my specific one without giving away where I work. However, I'll get you some information so that you can look for companies with positions like this. This type of auditing is called Social or Ethical Auditing. Lots of companies call the department and positions lots of different things, it really just depends on the corporate structure. Generally, it's whatever department does Social/Corporate Responsibility. In some corporations, it's the Sourcing department while others have their own Social Responsibility department. Since most of the corporate/social responsibility stuff is relatively new, it isn't well developed in most companies. The departments that a position like this might be in would be: Sourcing (possibly called Ethical/Global Sourcing), Ethics, Social Responsibility, Logistics, Corporate Responsibility, sometimes out of Legal. Positions may be Special Audit, Special Investigator, Investigations Manager, Audit Manager, Assessment Manager, etc. If you are interested in that field, I'd look into the Alliance for Bangladesh Worker Safety, the Accord on Fire and Building Safety in Bangladesh, the International Labor Organization (ILO), Better Worker (BW), and the International Council of Toy Industries (ICTI), Sedex. These are some of the major workplace safety organizations that are involved in social auditing (though some like the Accords are more concerned with Electrical and Building Safety [EBS] auditing). Companies that are members of these organizations or support them are usually ones with Social Auditing departments. If you are interested in the major 3rd party audit firms or Corporate espionage firms used by the companies, look into Bureau Veritas, Intertek, Cal Safety Compliance Corporation (they tend to go by CSCC or CSR these days), and Kreller. You might check Sedex's Associate Auditor Groups (AAG). There are a number of firms on there as well that all follow the same standards. I will give one big piece of advice if you are interested in this field. Yes, you really can improve people's lives and stop some really terrible poo poo from happened on a global scale. However, you will just as often not be able to stop the terrible poo poo you know is happening because you can't gather all the necessary evidence to do so. And sometimes you'll see a factory or company be given a second chance when they really, really shouldn't get one. That's the nature of the job and you have to be willing to accept that. Otherwise you will make yourself very miserable and won't be long for the job. The job isn't all doom and gloom though. You develop a really dark sense of humor. I know several people have mentioned they are EHS auditors. Have you guys ever done a fire safety audit? Because you will see some thing there that are loving hilarious. Factories photoshopping documentation, trying to convince you that a pencil sharpener is a backup battery, smoke detectors hanging from light fixtures with fishing line, and generally lying through their teeth. My all-time favorite though would be a a year ago when I saw a factory with a fire alarm system that was a plastic airhorn taped to a wall with masking tape. Not an industrial airhorn and not a wired airhorn system. No, the type of airhorn you carry to a football game.
|
|
#
?
Jul 28, 2014 05:02
|
|
|
|
| # ? Apr 25, 2024 16:08 |
|
|
I do fire safety/emergency response audits as well. However, the "screw ups" in North America and Europe are much more, well benign. Thanks for the info, something to look at if my EHS career gets stale and/or the energy industry tanks.
|
|
#
?
Jul 28, 2014 05:43
|
|