Chapter 11: Personal Development and Qualifications – Fundamentals of Information Risk Management Auditing: An introduction for managers and auditors



I enjoy my career as an IRM consultant and auditor. It has given me so many opportunities over the last 35 years and I have developed and applied many new skills, met some (very) interesting people and have been involved in a number of high-profile assignments. I have hundreds of contacts who have had equally rewarding careers. All of us have different skill sets, sector experiences, etc. – even those I trained with. Often it is about responding to opportunities as they arise – certainly that’s how I came to specialise in airlines and I’ve thoroughly enjoyed it.

Who are IRM auditors?

Information risk management consultants/auditors fall into two main groups – what I call the ‘Techies’ and the ‘Accountants’. Both do similar work but come from different backgrounds.

The ‘Techies’ come from an IT operational or development background.

The ‘Accountants’ have trained in internal or external audit and may be qualified accountants. Since the mid 1990s accountancy firms have been taking graduates on as specific IRM trainees and helping them to qualify as accountants, as well as providing training and work assignments specific to IRM.

The most effective IRM professionals have a strong combination of the two skill areas. Those with a techie understanding should read more broadly on business and the accountants need to develop their IT technical skills. Both groups need to keep up to date with ongoing developments and I find the best way to do this is to talk to my clients about their plans and then research areas which are new to me online. Newsfeeds from (for example) Computing Weekly and professional firms can often provide a quick digest of ideas and access to papers that give a more detailed understanding.

A typical generic job description is shown in the box below:

IT Risk Manager/Auditor/Assurance Manager Responsibilities

To provide management with feedback and comfort on the IT risks and adequacy of governance and controls. This involves:

•   Coordinating, planning, scoping, budgeting and completing IT audit assignments based on areas of highest risk.

•   Identifying any areas of weakness in IT infrastructure, projects and systems, that would increase the risk of loss through error or fraud.

•   Developing and performing testing and obtaining evidence to support conclusions.

•   Designing appropriate, practical, effective and efficient controls frameworks.

•   Working with business, project and finance management, and with other risk management and audit specialists to improve the IT controls and governance framework.

•   Adhering to the organisation’s policies, auditing standards and professional ethics.

•   Reporting audit findings and recommendations to the audit manager, with clear recommendations and conclusions.

•   Maintaining comprehensive and accurate audit working papers.

Skills and attributes

•   A general knowledge and awareness of current IT risks and issues (e.g. project risks, cyber security).

•   Technical competence and ability to grasp complex issues quickly and effectively.

•   Ability to communicate with those from both technical and non-technical backgrounds and to explain IT, governance, risk and controls concepts.

•   Strong analytical and report writing skills.

•   Tenacity to ensure that issues and risks are resolved.


•   Usually educated to degree level, but may have come from a strong IT background (‘Qualified by experience’).

•   May have an accounting or audit qualification.

•   Possess or working towards one of the following qualifications:


   Certified Information Security Professional (CISSP)

   Other specialist qualifications as appropriate, depending on specialism (e.g. ISO27001, APM, ITIL, PRINCE2).

Skills audit

To help develop your career it may be useful to complete a skills audit. This involves an honest personal assessment of your skill set against the common areas covered by an information risk management auditor. You can then identify which areas you want to develop. I once applied this and got a response from someone showing they were an expert in all areas. I would say this is impossible! The aim is to have a base level of knowledge and skill across the spectrum and to be able to demonstrate deeper skills in two to three areas.

I use a seven level key:

0  No knowledge

1  Basic understanding

2  Have sufficient awareness to be able to discuss the high-level concepts and principles

3  Capable of conducting a review independently

4  Have conducted and/or reviewed a number of assignments successfully

5  Capable of conducting a deeper review into specific specialist areas (e.g. ERP systems, technical security, etc.)

6 Seen as an expert both within and outside your organisation – consulted by others undertaking a review in this area

But you could develop your own scale. I have provided a template for an initial assessment below. This could be used as a basis for developing a more detailed matrix.


Level (0-6)

Is this your desired level?




General IS controls audit



Information security



System development/project lifecycle



Business continuity and disaster recovery



Current trends and issues



Application controls



Soft skills



Assignment planning



Risk analysis



Interviewing and data gathering



Report writing



Training and presentational



Assignment review



Qualifications available

The most commonly requested qualifications, and ones for which some employers will provide support, are provided by ISACA and CSSP.

The ISACA certifications available are shown in Table 13.

Table 13: ISACA certifications


Aimed at those who

Certified Information Systems Auditor (CISA)

Audit, control, monitor and assess information technology and business systems.

Certified Information Security Manager (CISM)

Are in management to design, build and manage enterprise information security programs.

Certified in the Governance of Enterprise IT (CGEIT)

Are professionals with knowledge and experience of applying enterprise IT governance principles and practices.

Certified in Risk and Information Systems Control (CRISC)

Link IT risk management to enterprise risk management to become strategic partners to the business.

Cyber security Nexus (CSX)

Can demonstrate they know the most current cyber security standards and have skills and experience showing commitment and tenacity.

All of the certifications require an examination and some include a requirement to demonstrate additional practical experience. Exams are held two to three times a year at a number of centres around the world, in different languages. Further details are available from the ISACA website (

A number of entrants to information risk auditing from IT wish to have a wider qualification, or may already have CISSP, provided by (ISC)2®. The CISSP exam tests the eight domains of the CISSP bank of knowledge:

1.  Security and risk management

2.  Asset security

3.  Security engineering

4.  Communications and network security

5.  Identity and access management

6.  Security assessment and testing

7.  Security operations

8.  Software development security.

Further details can be found on the (ISC)2 website (

Professional and ethical standards

Because we are advising on best practice governance and control, we need to set good examples ourselves in the way that we undertake our work. For example, we can hardly tell users to ensure they lock their screens when not in use and then leave our own screens open when we walk away from our desks; or write down our passwords and attach them to our laptops!

Those with professional qualifications and memberships will be bound by the ethical and professional standards of their institutes. Both ISACA and the Institute of Internal Auditors, for example, have their own standards. Failure to comply could lead to the loss of a qualification standard – and in some cases the loss of your career!

The key general principles to apply are:

•   Integrity – auditors must be honest and trustworthy, for example, making clear where there is a potential or perceived conflict of personal and professional interests. This includes complying with laws and regulatory requirements (e.g. not shredding vital evidence).

•   Objectivity – the ability to remain balanced in undertaking assignments.

•   Confidentiality – the audit will often need to have access to highly confidential information. For example, you may be asked to review systems for a proposed merger or takeover, or be involved in a confidential project, releasing knowledge of which could affect the market value of the organisation or jeopardise the success of the transaction. This needs to be safeguarded.

•   Competency – maintaining professional competence, not exceeding own level of competence, applying skills and knowledge to the assignment.

•   Encourage the development of sound frameworks for IT governance and control.

•   Openness in disclosing all relevant information.

Some organisations require staff to complete regular business compliance and independence returns. Most institutes and societies also require members to complete some form of continuing professional development to keep their skills up to date and relevant. There could be a requirement to retain records and evidence of seminars, training, and writing of articles, professional reading, etc. This can sometimes be required for a random review.

Sources of employment

IRM managers and auditors are employed in a wide variety of roles and organisations. The main source of employment is:

•   Banking and finance – due to the need for compliance and the complexity of IT operations and systems.

•   Accounting firms – providing internal and external audit, and risk and compliance consultancy services.

•   Public sector.

•   Other large organisations – particularly in IT services and technology, telecommunications and manufacturing.

Most of the above take staff, at a variety of levels of experience, and provide training and personal development. Many IRM specialists (including myself) prefer to work as independent contractors, providing our skills on a short-term basis for individual projects or assignments.

A personal case study

My own career history may provide some ideas.

I started my working career as a trainee accountant in local government. This included time seconded to IT and internal audit. At that time there was an awareness of the need for specialists in computer audit. I was intrigued as I liked the challenge of being involved in a new area. I moved into computer audit – and was eventually recruited by KPMG as a public sector auditor. This opened up many new opportunities – and over the years I was involved in some very exciting assignments and was able to develop my skills and qualifications. I worked all over the world (Australia, Thailand, India, throughout Europe and in Canada and North America). I have chosen to specialise primarily in project risk – and over the last few years I saw a niche in auditing Agile projects so have now specialised in that.


IRM can form the basis for an excellent career. There are a number of options available and it can be both financial and intellectually rewarding.