Five Questions With... 

Download Article Article in Digital Form

Jose Luis Carrera Jr. has been responsible for directing the internal audit department of Agility Defense & Government Services (DGS), Kuwait City, Kuwait, since 2008. He has more than 19 years of international auditing and internal auditing experience, which he gained from his positions at RSM McGladrey & Pullen LLP; Singer Lewak Greenbaum & Goldstein, a regional certified public accountant (CPA) firm in the Los Angeles, California, USA area; PricewaterhouseCoopers LLP (PwC); and Saudi Arabian Oil Company.

As senior manager of PwC’s Global Risk Management Services (GRMS) group, Carrera was responsible for assisting high-tech clients (Microsoft and Nintendo) and international energy clients (Chevron, Saudi Arabian Oil Company and PEDVSA). He also served as senior manager for two SAP and PeopleSoft implementations for three multinational oil and gas conglomerates (Venezuela, Saudi Arabia and UAE) and one federal energy company located in the northwestern US. In addition, Carrera was one of the founding members of the PwC Tiger Teams for SAP System Security and was the exclusive PwC senior manager for the annual cosourced internal audit engagements for Raytheon and Washington Group International.

At RSM McGladrey, Carrera was responsible for directing the Risk Management Consulting Service group of the Desert Southwest Region (USA), and he spent six years in Saudi Arabia as the special audit internal audit manager and information systems internal audit manager of the Saudi Arabian Oil Company.

Carrera has extensive experience in strategic financial performance; organizational behavior; business process improvement and operational efficiency; internal audit outsourcing; risk management; assistance and implementation of sections 302, 404 and 906 of the US Sarbanes-Oxley Act of 2002; and large-scale application and system implementation (budgets in excess of US $200 million). He also has strategic and senior-level management experience,which he gained in the financial, manufacturing, high-tech, government and energy industry sectors.

Carrera is fluent in English and Spanish and is proficient in conversational Arabic. He is a “weekend warrior” on his 2000 Special Edition Harley Davidson Road King motorcycle and has more than 5,000 Cuban cigars in storage. He is also a long-time season ticket holder for the Arizona Cardinals football team. He can be reached at


How has continuous auditing/monitoring changed in recent years? What makes it unique?


During my tenure in internal auditing and in working for a Big Four international accounting firm, continuous auditing/monitoring (CM) has changed dramatically.When I was introduced to CM, it got its impetus from the academic environment—the type of applications created in Fortran and then punched into cards to be read by the big academic mainframe: an IBM 3081! I can still remember having to run SAS routines that I created to extract and “monitor” complex financial application algorithms in order for me to perform my electronic data processing (EDP) application audits. Fast forward to the last three years, ACL, Structured Query Language (SQL) and other built-in enterprise resource planning (ERP) applets are performing the same function—created in “English speak” and providing “executive business reports” to executive management and the independent business consultative internal audit department for review, evaluation and possible risk mitigation. CM, in my professional career, has provided me a “full-time cyborg” to assist in enterprise risk management planning by updating the planned internal audit engagement. However, the value comes into play when asked by the audit committee to perform that “special project” under their guidance and preview. CM is like the US Navy Seals: Get in and get out.


In regard to enterprise risk management, what do you believe is the single largest IT-related risk for businesses today?


I am a firm believer that enterprise risk management—if performed correctly, combined with CM, and coupled with well-disciplined operational employees who understand their internal control environment and perform annual control self-assessments, is utopia! The reality in my inner sanctum is that enterprise risk management is performed on an annual basis, and in my position, I spend the entire year, after planning the current year’s internal audit plan, convincing the audit committee of what should be performed and requesting additional budget to cover all the low-hanging fruit for the upcoming year.

However, persistence and open communication with the audit committee chair and other executive management is probably the initial step in maintaining a consultative internal audit department that moves into enterprise risk management on a full-time scale. Additionally, creating and maintaining computer-assisted audit technique (CAAT) applications that are embedded and set to provide real-time data to executive management are also evidence that moving risk management into the daily vocabulary of operational management and staff is where we need to be.


How would you describe the impact of the increasingly strict regulatory environment on the IT auditor?


The increasingly strict regulatory environments, from an internal audit profession perspective, definitely keep us on our toes. Increased regulatory oversight, to some extent, is in highly regulatory environments. In other environments, it is the soup du jour. You see, when the US Sarbanes-Oxley Act inundated the accounting profession, it was a necessity based on a specific situation that rocked the accounting profession—the demise of Enron and Arthur Andersen. How was that different in the health care field? Are we seeing more regulatory oversight and mandates from the airline industry? I am sure we are going to see an increase in regulatory oversight in the energy industry as a result of the recent BP disaster in the US Gulf Coast, but how would increased IT auditing and ACL applets or denial-of-service (DOS) prevention have assisted in mitigating the events that occurred? It is my personal belief that the more we push regulatory mandates, the more we get away from what “should be” done and, instead, concentrate on what “needs to be done.” Internal auditing, including IT, financial, operational and compliance auditing, should work off of sound principles of internal control, checks and balances, and programmed processes.


Having lived and worked in numerous cities in the US and Middle East, how would you advise someone considering such a move? What are the biggest challenges and differences that you have encountered in your work in different countries?


Living and working in numerous cities in this beautiful world has been an adventure, not only for my professional career, but also for my family. It took some convincing for my wife to leave Arizona, USA, and travel to the Kingdom of Saudi Arabia, especially during the Gulf War. Then we returned to the US to work in the beautiful northwestern part of the country, only to be transferred by my employer back to the Grand Canyon state (Arizona). Then we were off to Los Angeles for several years, to again return to Arizona…which then led me to my present employment location, Kuwait City.

The biggest challenges that I have uncovered during my internal audit tenure, away from the US, are twofold:

  • First, answering this as a husband and father, I’d say you have to have faith. Do not get me wrong; I am not trying to proselytize, but to state a fact: If you have faith—be it in a higher power or whatever suits you—you must have a strong conviction and be faithful to guide and care for your spouse; children; family network; and, more important, your skill set because there is only one of you, and when the going gets tough, and it will, you need to rely on your convictions.
  • Second, if you maintain any recognized international certification, you need to remember your ethics and common sense. The farther away you are from the nest, the birds play at a different level! I have been challenged repeatedly to overlook my ethics and integrity, and fortunately, I do not bend when faced with those critical decisions.


What has been your biggest workplace challenge and how did you face it?


As a chief audit executive, the workplace challenges I have been faced with and continually deal with include:

  • Maintaining career satisfaction among IT auditors
  • Cultural sensitivity

Let’s face it, keeping IT auditors engaged as valued members of an integrated internal audit team as well as letting them fulfill highly complex IT internal auditing, for some, takes its toll on the cohesiveness of the internal audit department. This is the fundamental yin-yang internal audit department theory. An IT auditor who is technically knowledgeable and current with existing technology and platform operating systems requires a challenging and dynamic career path and constant daily interaction. It is challenging for someone in my capacity to keep the revolving door from turning. On the other hand, the talent pool that I have had fill these types of IT audit positions has been very gratifying, with gifted individuals with higher-education credentials and many IT-related certifications.

A more sensitive issue in this part of the world is the religious “overtone” in the work place. Kuwait is a very open country and the Emir has given individuals the opportunity to openly practice several religions in this country. However, for some, this entails more “political correctness” that must be engrained in the workplace, and for others, it is an added bonus. Personally, I live by the golden rule:  “If you can’t say something nice about someone, don’t say it at all.” Always engage the synapses before the mouth.

As an American working abroad, I continually remind myself that I am an ambassador for the US, and that I am an ambassador for the internal audit profession as a whole. Never look in the rearview mirror of life. Focus on the oncoming traffic.

Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2010 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.