Richard Tuck, CES, CPC, CIPC
The economic downturn of 2007-2010 has had a tremendous impact on auditors’ careers in comparison to other recessions.1 Using the analogy of a swinging pendulum, the auditor’s career has gone from one extreme to another— from internal audit’s rapid expansion during the implementation of the US Sarbanes-Oxley Act-required controls, to the alarming contraction of the number of employed auditors during the recent recession. Now, the pendulum is beginning to swing slowly back toward an expansion phase.
In previous recessions in the US, internal audit functions were not always affected. In fact, in the downturn in the US of the early 1980s, many audit departments actually grew in headcount, possibly as a result of corporate leaders realizing that fraud is more prevalent in down times and feeling concerned about the lack of reliable controls on computerized accounting systems. On the other hand, the recession that followed the aftermath of 2001 shook audit departments as well as every other department. Shortly thereafter, there was a great deal of outsourcing of internal audit to public accounting firms.
The passage of the Sarbanes-Oxley Act in 2002 was a harbinger of happier days returning to the audit world, and within a year, firms were scrambling to try to come to grips with the strenuous requirements of the new law. After just about every available auditor had been pulled into performing Sarbanes-Oxley work, the IT community started getting recruited to fill the multitude of positions. This was at a time when IT people were in great supply and jobs for IT people were scarce. Offshoring of IT positions had displaced a great many people who had been project leaders, analysts and programmers. These people proved readily adaptable to testing the controls over IT systems.
For a number of years, corporate America could not find enough people with Sarbanes-Oxley expertise. Public accounting and consulting firms expanded their Sarbanes-Oxley compliance departments and hired and trained vast numbers of people. As the Sarbanes-Oxley requirements spread beyond the US, talented people with controls testing knowledge became scarce in many other areas of the world. The demand for auditors, or people who could perform even some of the duties of audit, was at an all-time high.
As the turbulent times of the Wall Street financial crisis approached in the latter part of 2007, the tide was already starting to turn. Many corporations had formed their own Sarbanes-Oxley or regulatory compliance departments, taking some of the pressure off internal audit departments that had been forced to divert many of their resources away from performing audits.
With the collapse of prestigious Wall Street firms such as Lehman Brothers and Bear Stearns, suddenly corporate America started to get the jitters. Hiring slowed to a trickle and companies started looking carefully at spending. Liquidity suddenly took on new meaning. Before long, the international accounting and consulting firms started losing business. Layoffs soon followed. In 2008, the Big 4 public accounting offices began laying people off on an unprecedented scale. Cost-conscious corporations started considering bids from second-tier public accounting firms, some of which were staffed by people who had just been laid off by the Big 4. As the recession deepened, the second-tier and regional firms were forced to institute layoffs as well.
The cutbacks were deep and painful. Audit and advisory service lines in public accounting had, until now, typically been viewed as a “safe” profession. After all, the thinking went, big business is always going to need auditors. Suddenly people who had been planning to someday become partners in public accounting found themselves with a pink slip. At every level, from staff consultant through partner, the unemployment rate among auditors was, for the first time, soaring.
Corporate human resource people were elated to be able to interview a wide range of talented individuals before making a choice for an open requisition. Within one year, the supply and demand ratio had reversed itself. In 2007, a Big 4 IT auditor with a Certified Information Systems Auditor (CISA) designation could have had his/her pick of employers in most large cities. By March 2008, employers had their pick of any number of highly qualified IT auditors. Auditors in public accounting were not at all accustomed to being thought of as a commodity in oversupply.
To better understand the dynamics of the changed job market, a simplistic overview of the two different views of the internal audit career can be considered. Many departments regard internal audit as a lifelong career choice. Other departments, ever growing in number, regard internal auditing as a terrific set of skills with which a career-minded person can launch him/herself into any number of other directions such as finance, accounting, operations or strategic planning. Some departments strike a balance of career auditors and auditors building toward another career.
Whereas government agencies and nonprofits tend to prefer career auditors, the majority of Fortune 500 departments view their internal audit departments as a grooming ground for future leadership roles. The majority of students graduating from the top universities strive to some day hold those top leadership roles. Most of these students regard audit as a stopgap—a great place to learn a corporate culture, develop skills and make important connections from which they can then launch themselves in the directions they want to pursue long term.
With the economic downturn and the numbers of Big 4 people being laid off, the ripple effect was almost instant in universities. Students who had older siblings, friends and accounting alumni unemployed started questioning whether getting an accounting degree or an audit specialization was such a good idea. Students started changing majors to economics, marketing and finance if they continued in business school at all. Many refocused on liberal arts. “Before, internal audit was a guarantee for anyone to get a job so people went into internal audit; now it isn’t, so they’re going into whatever they want to,” says Mark Salamasick, director of the Center for Internal Auditing Excellence, University of Texas at Dallas (USA). “I see a lot of students going into finance just because it sounds interesting to them, although the job market is much worse than for internal audit. So you now find students…going into majors that interest them vs. one that has better job opportunities.”
One cannot discuss the economic downturn without mentioning its effect on non-US students and workers in US audit departments. For a number of years, the H-1B work authorization program in the US had been especially helpful for companies trying to hire scarce talent. It is no surprise that the four biggest employers of H-1B visa-holding professionals were in fact the Big 4 firms. When unemployment among auditors started to occur, the Big 4 and corporate America started stepping away from renewing the H-1B work permits. A great many people who had come to the US to get their business and/or technology educations had found their internships and first jobs with the Big 4. Five years earlier, they would have eventually applied for a green card and, after an arduous process, been granted permanent work status in the US. With repeated rounds of layoffs by public accounting firms, many H-1B visa holders found themselves unemployed and with only a short window of opportunity to find another employer or be forced to leave the country. Not surprisingly, the number of employers willing to sponsor foreign workers practically dried up. Many of these very talented individuals have returned to their homelands, or are working in other countries.
The effect of this implosion in the US is yet to be felt, but there has been a profound drop in the number of non-US students attending US universities. Having all these many talented individuals forced to leave the country will likely some day be described as a terrible brain drain with lasting international effects. The attractiveness of acquiring a US education and an opportunity to work for prestigious organizations has greatly diminished. It might make attracting great talent back to the US at some later point much more difficult. As businesses continue to globalize, the insight and cross-cultural business knowledge that these workers bring will be in great demand. As one US-based university instructor recently observed, “My graduate classes now lack much of the richness we had when international students brought divergent points of view to classroom discussions. Their contribution is sorely missed.”2
Looking at the immediate future, a few things are very certain. The number of pure IT positions is staggeringly low. More and more technology functions have been offshored to less-expensive areas, and more of these offshore sites are popping up. Instead of everything seeming to go to China, India and Pakistan, Mexico is starting to gain ground. As the IT functions become more globally based, so too does the IT audit work. More and more departments are hiring local IT auditors or consulting firms in the countries in which the work is being done.
Another population of workers that has been displaced is the IT people who came to the audit profession as Sarbanes-Oxley testers. Now that the demands for Sarbanes-Oxley testing have been systematized, many of these people are on the job market. When they apply for mainstream audit positions, they fall short of the requirements. Often they do not have an accounting background or experience performing financial, operational or IT audits, and writing professional audit reports. Their expertise is in testing. Many audit directors say that when they post an audit position, they get inundated with applicants who have done only Sarbanes-Oxley work and cannot step right in and perform the kinds of work needed.
Over the last 15 months, several surveys of global audit departments have been conducted to get an idea of how the profession is evolving and the new directions chief audit executives (CAEs) are charting for their departments. There is no denying that both internal audit and public accounting auditors were hard hit in 2008 and even more so during 2009. Of the respondents to the online surveys, representatives from more than 25 percent of companies reported layoffs.
By way of contrast, more than half of the respondents to one survey in January 2010 expect to do hiring in their audit departments in 2010. “I am cautiously optimistic,” Jarrett Fenlon offers. Fenlon recruits for some of the biggest firms in the northeast US. “IT audit positions are starting to show up in ever-increasing numbers. The big firms—Fidelity, JP Morgan Chase, Fannie Mae, Morgan Stanley and State Street—are all starting to feel more confident in their hiring. But, this will not be business-as-usual hiring. The rules of the game have changed—perhaps forever. Although the recession is widely regarded as being over, the recovery is going to be a slow process. Audit budgets are going to be carefully scrutinized and requisitions to hire will be thoroughly examined. Most audit executives have resigned themselves to the fact that they are going to be in a position of having to accomplish more work with fewer resources. The responsibilities of internal audit departments are shifting. They are not as enmeshed in Sarbanes-Oxley work, and the schedule is now moving to other priorities with much more emphasis on value-added services, and that value is best if it shows up on the bottom line of the company rather quickly.”
Shedding Sarbanes-Oxley responsibilities is freeing up more time for auditors to get back to some of the areas in which they were previously excelling: conducting application audits of the new business areas into which the business has expanded, enhanced fraud reviews, and shrewder utilization of data analytics to help management make informed decisions. Employers now want to hire people who have more ability to accomplish a broader range of responsibilities. The CAE of one Fortune 50 company put it this way, “The ideal person to join our department is a Big 4 CPA who also has experience in industry and has some degree of specialization in the needs of our company—either in terms of product knowledge, market niche or technology deployment.”
As one senior director in a consulting firm said, “The prevailing wisdom is that Sarbanes-Oxley makes you stupid. People who have focused too narrowly on Sarbanes-Oxley work are having a very difficult time proving their adaptability, and often are not really able to articulate how their work directly improved the bottom line of a company— which is critical in today’s environment.”
“IT auditors were once regarded as the scarcest skilled professionals in audit departments,” shares Trish Mulholland, who advises audit groups on the US’s west coast on hiring. “Now some departments are looking for an IT auditor who has even more skills. As departments are evolving into integrated teams, even the IT person is more marketable with a Certified Public Accountant (CPA) certification. If an individual has a technology degree and three to five years in IT audit, companies are attracted to their skill sets, but in terms of long-term career planning, these same employers voice concern about where these people can move in the organization, especially when they have no IT people working in the [US].” The integrated auditor, on the other hand, has the option of moving out into the controllers’ group or into the finance department.
“What I see happening,” opines Caitlin McGaw, a UC Berkeley MBA with experience in several global organizations before joining Lander International a dozen years ago, “is less demand for generic IT audit skills and more demand for specialized abilities such as reviewing enterprise resource planning (ERP) portals, firewalls and penetration testing. At the same time, there is an emphasis on business knowledge and outstanding communication skills. Today’s IT auditor needs technical depth, but also has to be able to expertly build the business case for controls which can be clearly communicated to management inside and outside of audit.”
This is a tall order. But internal audit departments with constrained budgets (a fact of life for the foreseeable future) are looking for a big bang for their buck. IT auditors looking for a new opportunity need to be attentive to these requirements when interviewing, especially when the competition is so stiff.
“Not possessing a certification in this marketplace is a killer,” Michelle Maltzahn adds. “Audit departments want the best and brightest, but they also want the most dedicated people. When a candidate says he was too busy to sit for a certification exam, it just does not ring true. If a person has been laid off, the best advice I give them is to start studying. Take advantage of this time period to pass certification exams, continually read books and stay on top of all the latest technologies that are gaining popularity. Every employer wants to know, ‘How did you make maximum utilization of your time between jobs?’ and you should have a terrific answer.” Maltzahn specializes in recruiting for the Texas (USA) marketplace, but she is quick to point out that the demand for certifications is universal. “And, do not rest on your laurels. Do not settle for just one; continue your education and your dedication to expanding your knowledge.”
The career direction one is seeking should determine which certifications to pursue. The CPA often creates a pathway to directing an audit function. The CISA shows a breadth of knowledge in audit, risk management and technology controls. The Certified Information Security Manager (CISM) demonstrates one’s ability to plan and manage complex, structured endeavors, both in audit and in operations and IT. There are also certifications in specialized areas, such as the Certified Information Systems Security Professional (CISSP) or the Certified Fraud Examiner (CFE), that can help open specific career doors. Not having any certification may result in an otherwise qualified person being locked out of career opportunities.
The question that many human resources (HR) people and professional auditors are starting to consider is, “What happens next?” Most people who lost their employment during the cutback cycles have landed other positions, but how many of these people consider themselves underemployed and/or underutilized? A great many of the Big 4 displaced people took positions with small and medium-sized companies that soon may be unable to deliver the career plans that these individuals have in mind. Some short-minded employers have harmed their long-term retention goals by offering less-than-standard wages, taking advantage of the supply of talent being temporarily so large. It is no secret that many Big 4 executives are keeping close tabs on where their former employees landed after being laid off. Prudent internal audit departments are taking steps to ensure that they can retain their good talent once the economy improves.
In surveying the career prospects for IT audit professionals in the future, the outlook is improving dramatically over what it has been for the last couple of years. This will be a watershed time for people to develop new skills and add value in ways that auditors 20 years ago would never have considered. As the need for security over computerized systems increases, auditors with technical security skills will have ample opportunity to move into security careers. Individuals with strong data analytics skills will be worth their weight in gold.
It is not impractical to think ahead to another age of looming auditor scarcity. With the number of Baby Boomer retirements in the US taking its toll and the diminished number of students that will be graduating with appropriate degrees to enter the audit profession, internal audit departments may soon be faced with the swing of the pendulum toward auditor scarcity. Attracting and retaining talented individuals while staying on budget may be the largest challenge of the next several years.
1 This is based on the author’s experience, having guided and directed an executive search firm specializing exclusively in audit positions through three previous recessions.2 Throughout the last 30 years, Lander International has held weekly meetings among its executive directors to discuss and analyze the trends and changes happening in the audit profession. The directors of Lander International LLC have visited over 300 internal audit departments to put on seminars, teach classes, review audit approaches and gain a better understanding of new directions the profession has taken. It is from these relationships that the quotes used in this article are derived.
ISACA is developing the Career Guide for Information Security and Assurance Professionals, which will be available to the public as a complimentary PDF download on the ISACA web site. Please look for its availability by midyear. Once available, please look for it at www.isaca.org/deliverables. To learn more about ISACA research projects in development, please visit www.isaca.org/research.
Richard Tuck, CES, CPC, CIPCis the chief executive officer and founder of Lander International LLC. For more than 30 years, he has operated the largest recruiting firm in the US specializing exclusively in helping auditors find career opportunities with Fortune 500, public accounting and consulting firms. Placement activities have spanned every industry and geographic area in North America with additional market penetration in Europe and Asia. Tuck has spoken at more than 400 meetings and conferences, candidly sharing his views of the direction of the audit profession and the career path options for audit practitioners. This is the fourth recession he has analyzed for its effects on the auditing profession. Tuck was formerly a university instructor and has served on several educational outreach programs and panel discussions put on by ISACA and the Institute of Internal Auditors. He guest lectures for audit courses at several large universities, is a past president of the ISACA San Francisco Chapter and previously served on the ISACA International Board of Directors.
Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2010 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.