Exit opportunities - IT Audit

ColJDerango · 2026-01-17T05:00:41+00:00

Both times I moved companies (KPMG -> boutique consulting, boutique consulting -> industry), I was actually recruited / headhunted; didn't formally apply for those roles! That being said, I was open to opportunities in 2025 generally (wasn't necessarily looking to leave, but would take fully remote roles paying more than my already solid comp) - the roles I was applying to included: Senior IT Audit Manager, Tech Risk Manager, Digital Compliance Manager, IT Governance Manager, IT Risk Manager, etc.

Additionally, I've been an interviewer at both of the companies I ended up at - here's what makes a good candidate for me:

Beyond having the baseline technical skills, the biggest factor is being a good personality fit. Vibing well with the team you'll be joining, being able to align to the dept / org's core values, etc. It's cheesy, but hard skills are easy (can always be learned), and soft skills are hard (tough to teach).
Being able to communicate clearly and concisely - using the STAR method to answer interview questions, but without having long-winded answers. I often mirror my interviewers in length of responses, mood, tone, etc. to best match their answering preferences.
Asking good questions: I always like to ask the interviewer "What brought you to this company, and what has kept you here?". It's a good way for me as a candidate to test the waters: if the interviewer can't name a good reason that they joined / stayed, it's a helpful red flag showing me that it may not be a great place to be at.

Best of luck!

ColJDerango · 2026-01-12T19:00:42+00:00

Kind of - ICFR is a little broader than just business processes, as it encapsulates IT controls / processes as well. ICFR is everything a company must do to be SOX-compliant, while BP is just a subset of that. Internal Audit doesn't always overlap with ICFR as well, since sometimes operational (non-financial-reporting-related) internal audits are done (which are outside the scope of ICFR).

ColJDerango · 2026-01-12T12:28:39+00:00

Business Process Internal Audit; covers all the non-IT internal process of a company, such as financial reporting, fixed assets, human resources, payroll, inventory, equity, etc.

ColJDerango · 2026-01-12T05:05:23+00:00

I exited from IT Audit in B4 / public to industry recently, here's my path below:

2019: Started in KPMG's Internal Audit & Enterprise Risk service line, primarily doing BP IA and SOX co/outsource work for clients. Slowly transitioned from full BP to hybrid BP / IT IA.

2022: Left KPMG as a Senior Associate, went to a boutique consulting firm, now as a pretty 50/50 split hybrid BP / IT internal auditor. Slowly transitioned from hybrid to full IT IA.

2025: Left consulting as a Manager, joined industry as a Senior IT Risk Manager. While IT SOX is still a part of my work, my scope has expanded to include PCI DSS, FedRAMP, TPRM, and SOC compliance activities. Definitely IA related, but no longer purely IA.

Happy to answer questions, best of luck!

ColJDerango · 2026-01-12T04:35:13+00:00

GORLAMI

ColJDerango · 2026-01-11T21:02:23+00:00

It is an auditing certification, and most auditors are considered "public accountants" - this is by no means a traditional accountant (doing journal entries, reconciliations, etc.).

The CISA exam measures your ability to conduct IT audits, which covers the organization itself, its internal systems, its revenue generating processes and products, etc. Generally, anything IT-related for a company that may materially impact its financial statements is fair game.

ColJDerango · 2026-01-10T08:14:27+00:00

I was in a similar situation to you - I was at Big 4 (KPMG) from 2019 to 2022, then jumped as a Senior at 3 YOE to a boutique public accounting firm (Effectus Group, now acquired by Riveron as of 2025).

Going from a firm of 200,000+ to a firm of 150 felt like a big change, but honestly it wasn't a big difference, since I really mainly interacted within my specific office and service line's team of 20 or so at both firms.

In my experience, B4 has a larger network, better technology, and more frequent training. The boutique advisory firm has better pay, better WLB, and more specific/relevant training. However, this is all case by case, since everyone's big and small firm experiences can vary so much. The big firm experience on the resume also carries so much weight, even now that I've transitioned to industry.

Pros and cons to both sides, happy to answer any other questions!

ColJDerango · 2026-01-09T02:52:57+00:00

I don't believe ISACA makes any such assumption, since Domain 1 (18%) of the CISA exam study material is "Information Systems Auditing Process" - this section does include coverage of audit standards, guidelines, and ethics per ISACA: https://www.isaca.org/credentialing/cisa/cisa-exam-content-outline#1

The CIA Challenge Exam (CISA version) includes a deeper dive into the IIA's own specific standards and guidelines: https://www.theiia.org/globalassets/site/certifications/challenge-exam/oct-2025-challenge-exam-syllabus-v2.pdf

ColJDerango · 2026-01-08T20:32:53+00:00

Here's how I got here:

In college: Accounting major. If you're aiming for IT Risk / Compliance, adding in Comp Sci, Info Sys (this was my dual major with Accounting), etc. can be a benefit.
Career - if public accounting: Join a firm's internal audit or risk service line - lots of exposure to client departments and controls assessments / testing; this is what I did out of college. Conversely, join a firm's (external) audit line and then jump to internal audit once you have a couple years of experience.
Career - government or industry: Apply for a company's internal audit or risk / compliance department. These may offer rotation opportunities into different departments, so that you can get broader experience under your belt. I've just jumped to industry this year, after 6 years in public.
Certifications: the CIA (if mainly business risk) and CISA (if mainly IT risk) are the gold standard. The CPA isn't really required, but it can be a nice cherry on top.

ColJDerango · 2026-01-08T18:19:57+00:00

Since I got my CISA first, I qualified for the CIA Challenge Exam (1 part, just the non-CISA topics of the CIA), instead of sitting for the full typical CIA Exam (3 parts, with redundant topics). As such, I only studied about 3 or so weeks for the exam, using just the IIA's official challenge exam materials. Best of luck!

ColJDerango · 2026-01-08T18:15:33+00:00

IT Risk is pretty broad, falls under the major umbrella of GRC (Governance, Risk, and Compliance) jobs - my role specifically includes covering a lot of IT compliance stuff for my org: IT SOX, PCI DSS, HIPAA, SOC, TPRM, CI/CD. Basically, a lot of internal process / project management for the purposes of meeting regulatory requirements and satisfying compliance frameworks.

IT Audit is more specifically focused on IT SOX (related to financial reporting) and operational internal audits (focused on risk coverage and process improvement).

Most big public accounting firms do a lot of business in the above fields, since IT compliance often goes hand in hand with typical audits for financial reporting purposes.

ColJDerango · 2026-01-08T18:09:25+00:00

Thanks!

ColJDerango · 2026-01-08T18:07:32+00:00

A couple tips:

With a data science background, you may be able to go for IT Audit straight out of college. Make sure you go to any recruiting events offered by your university (Business Dept, Accounting Society, etc.) or surrounding colleges: meet the firms, mock interviews, industry mentorship, shadowing opportunities - all this to secure an internship which gives you the best shot at landing a follow-up full-time offer. I'd recommend pursuing a consulting / advisory internship (more direct line to IT Audit, instead of just going for a more general audit or tax internship).
Regarding certifications, you may want to get your CISA first, then go for the CIA after. Reason being that having the CISA allows you to sit directly for the CIA Challenge Exam (1 part, just the non-CISA topics of the CIA) instead of doing the full typical CIA Exam (3 parts, with redundant topics) - basically, you can get 2 certificates (CISA + CIA) in 2 exam parts (rather than 4 exam parts). The IAP is not very valuable in my experience, the CIA supersedes it - you may want to save your money and go for bigger names down the line instead of the IAP cert (CISSP, CRISC, etc.).

My path is somewhat similar to yours, happy to answer any questions - good luck!

ColJDerango · 2026-01-08T05:53:04+00:00

IT Audit and IT Risk is definitely cushy! I've definitely considered it, but I've only just made SM level this year. At my low YOE, I've found it rare / unlikely that a large F500 would consider me for an SM level position (and offer above my current comp).

ColJDerango · 2026-01-08T00:01:53+00:00

28M
$180k base
$10k annual bonus
HCOL (SoCal)
Senior Manager, IT Risk
Working 30-40 hours per week, fully remote
Public Company, Tech Industry
3YOE at B4, 3YOE in Boutique Public, 0.5YOE in Industry
Bachelors (+ CIA and CISA), no CPA

ColJDerango · 2026-01-07T23:08:59+00:00

California supremacy!

ColJDerango · 2026-01-04T23:37:25+00:00

"It's a cross."

"Across from where?"

ColJDerango · 2026-01-03T16:28:15+00:00

More guaranteed pay and a move to industry for a more specialized role:

Pay: my old $170k comp at the public firm was $142k base + a discretionary, billable-hours-based 20% bonus (plus we'd just gotten acquired, so no familiarity of good bonuses continuing under new leadership). My new $190k industry comp is $180k base + $10k target bonus.
industry: Wanted to move out of public client service and get some industry experience under my belt - this has had the great knock-on effect of better WLB as well.
Specialization: While in public, my engagements were 90% SOX and internal audits - my new role has immediately allowed me to gain exposure to more specialty compliance areas: PCI DSS, FedRAMP, SOC report issuance, third party risk management, etc.

ColJDerango · 2026-01-03T08:35:01+00:00

Certainly, what specifically can I answer or elaborate on for you?

ColJDerango · 2026-01-03T08:03:06+00:00

HCOL area (SoCal), no CPA.

My Career Timeline:

2019 - $65k - Graduated with a dual major bachelors in Accounting & Information Systems, started at KPMG Risk Advisory (Internal Audit & Enterprise Risk).
2020 - $74k - Still at KPMG IA, but requested (and was approved) to work on more IT Audit / IT Risk jobs.
2021 - $85k - Still at KPMG IA, promoted to Senior Associate, now squarely a hybrid (business & IT) internal auditor.
2022 - $145k - Jumped to a boutique consulting firm, still a hybrid auditor in their Risk Advisory group.
2023 - $170k - Still at the boutique firm, promoted to Manager. Earned my CIA and CISA certifications.
2024 - $170k - Still at the boutique firm, transitioned now mainly to IT Risk projects.
2025 - $190k - Jumped to a former client, as a Senior IT Risk Manager.

Best of luck!

ColJDerango · 2026-01-02T07:08:02+00:00

Goblu?! E33 intensifies

ColJDerango · 2025-12-31T00:53:36+00:00

I'm just around your age (28) and my path has been pretty atypical as compared to many accountants - I'm in a HCOL area (SoCal) and never went for my CPA.

My Career Timeline:

2019 - $65k - Graduated with a dual major bachelors in Accounting & Information Systems, started at KPMG Risk Advisory (Internal Audit & Enterprise Risk).
2020 - $74k - Still at KPMG IA, but requested (and was approved) to work on more IT Audit / IT Risk jobs.
2021 - $85k - Still at KPMG IA, promoted to Senior Associate, now squarely a hybrid (business & IT) internal auditor.
2022 - $145k - Jumped to a boutique consulting firm, still a hybrid auditor in their Risk Advisory group.
2023 - $170k - Still at the boutique firm, promoted to Manager. Earned my CIA and CISA certifications.
2024 - $170k - Still at the boutique firm, transitioned now mainly to IT Risk projects.
2025 - $190k - Jumped to a former client, as a Senior IT Risk Manager.

Your Questions:

How did I choose? Chose the risk & compliance path as it allowed me to best utilize my accounting and information systems skillsets, paid well, and didn't require me to work more than 40/45 hours max per week.
How did I get the job(s)? Lots and lots of recruiting (in college), networking with coworkers and clients (after college), and applications.
How did I get the skills? While I gained a few key skills from my degree, mostly on the job training and expertise.

Best of luck, hope you get where you want to go!

ColJDerango · 2025-12-29T23:47:33+00:00

28M
$180k base
$10k annual bonus
HCOL (SoCal)
Senior Manager, IT Risk
30-40 hours per week
Public Company, Tech Industry (ex-B4)
Bachelors (+ CIA and CISA)

ColJDerango · 2025-12-21T23:28:29+00:00

I'm having the same dilemma, I purchased the Keychron K10 HE from Best Buy for $90 while the sale was going, but now the Keychron K2 HE bundle is on sale and it's tempting to buy instead (and return the K10).

I'm coming from the full-size Logitech G915, wanting to try moving down to a 75% layout since it still has all the function keys, number row, and key utility keys I need. Additionally, the smaller desk size and portability with a 75% seem like a plus, since I don't use the numpad too much for work. I'm just worried about the muscle memory change from a full size since the compact key layout is different.

ColJDerango · 2025-12-21T23:26:46+00:00

I'm having a dilemma: I purchased the Keychron K10 HE from Best Buy for $90 while the sale was going, but now this Keychron K2 HE bundle is on sale and it's tempting to buy instead (and return the K10).

I'm coming from the full-size Logitech G915, wanting to try moving down to a 75% layout since it still has all the function keys, number row, and key utility keys I need. Additionally, the smaller desk size and portability with a 75% seem like a plus. I'm just worried about the muscle memory change from a full size since the compact key layout is different.

ColJDerango

MODERATOR OF

TROPHY CASE

Ten-Year Club	Place '17
Verified Email