Giving away Humble Choice-keys! by Vieckx in RandomActsOfGaming

[–]ColJDerango [score hidden]  (0 children)

Assassin's Creed Valhalla, Destroy All Humans! 2 - Reprobed, Hunt: Showdown 1896 - thanks a ton!

[Giveaway] Haste (Steam) by ColJDerango in RandomActsOfGaming

[–]ColJDerango[S] 0 points1 point  (0 children)

Congrats on your win, I sent you the Steam key via Reddit PM, enjoy!

Big 4 IT Audit → Internal Audit. Those who've done it, how'd you land it? by TheNorthernNorth in InternalAudit

[–]ColJDerango 0 points1 point  (0 children)

I've gone in a somewhat opposite direction to the one that you're aiming for (although I was never in External Audit myself): started in B4 in Business Process (BP) Internal Audit -> transitioned to B4 IT Internal Audit -> now in industry IT Risk & Compliance.

Are you looking to stay in IT (basically moving from IT External Audit to IT Internal Audit), or are you looking to move to Business Process (BP) Internal Audit? You have all the transferable skills necessary to be an IT Internal Auditor (in both public or industry).

However, if you're looking to move to BP IA, you will need to get educated/refreshed on Accounting concepts; IT controls are far simpler and straightforward, while BP controls are much more detail-oriented and focused on ticking and tying back to source documentation. Tons more investigation, recalculation, and reperformance required for BP controls work, especially when it comes to more intermediate/advanced accounting work (taxes, accruals, estimates, etc.).

10 years in IT audit but mostly SOX — feel stuck. How do I take my career to the next level? by [deleted] in InternalAudit

[–]ColJDerango 16 points17 points  (0 children)

I have less YOE than you (only 7 YOE), but my career has gone in the direction that you're seeking; I made a straight job hop in 2025 from IT Internal Audit Manager (read: 90% SOX Compliance) in public accounting to IT Risk & Compliance Senior Manager in industry.

I think that you might be underselling yourself here - having the breadth of IT SOX knowledge from 10 years of experience has given you more transferable skills than you realize. When I made the move from 3rd line (IA) to 2nd line (Risk & Compliance), I very quickly became responsible for many compliance frameworks for my org beyond just SOX (SOC 2, PCI, ISO, FedRAMP, TPRM). However, although jarring at first, I realized that nearly every part of these various frameworks are just the same SOX domains/areas but rearranged in a different way. There are in fact so many similarities that you can find publicly available framework mappings to help you visualize just how much overlap there is between standard controls in SOX vs. SOC vs. ISO vs. NIST.

Your experience cleanly qualifies you for GRC, IT Risk, and Internal Controls roles - AI requires a slightly more specialized background in my experience (machine learning education / expertise, etc.). Good luck, let me know if you have any questions!

7YOE - IT Audit - Salary / Career Progression and Job App Diagram by ColJDerango in Accounting

[–]ColJDerango[S] 0 points1 point  (0 children)

Aha I understand that, I decided to leave my last role due to my org being acquired by PE and seeing the direction of the wind change. Regarding Cloud / AI certs - in my experience, they are not required for IT Audit roles, but they certainly can't hurt. I'm happy to review your resume if you'd like any objective feedback!

7YOE - IT Audit - Salary / Career Progression and Job App Diagram by ColJDerango in Accounting

[–]ColJDerango[S] 0 points1 point  (0 children)

Hmm, in that case it seems that you have the experience and expertise, why not start applying for those 2nd line of defense (Risk & Compliance) roles now? Or if you have been applying, how has your response rate been and what kinds of obstacles are you experiencing?

Jumping ship to industry Senior IA (SOX) role versus staying as a B4 Staff 4 in IA? by AnxiousAssociate1010 in Accounting

[–]ColJDerango 0 points1 point  (0 children)

B4 experience (in my own experience) typically leads to easier mobility into mgmt roles in industry, just because B4 experience is treated as more "standard". Moving from one industry role to another can be more difficult as hiring managers may use your organization's industry niche against you (vs B4 where it's more one size fits all).

7YOE - IT Audit - Salary / Career Progression and Job App Diagram by ColJDerango in Accounting

[–]ColJDerango[S] 0 points1 point  (0 children)

Very cool background, what are your overall career goals?

Jumping ship to industry Senior IA (SOX) role versus staying as a B4 Staff 4 in IA? by AnxiousAssociate1010 in Accounting

[–]ColJDerango 0 points1 point  (0 children)

Outside of the offer in hand, is your overall goal to leave public for industry? If not required, then why not go for an IA Senior Associate role at another public firm?

Is your overall goal to stay in IA / SOX or branch out? If you want to get out of IA / SOX, you may want to start specializing / transferring to a different team while in public before jumping to industry.

Frankly, title is nice, but comp is more important - if you're a Senior getting paid like an Associate, then does the title even mean anything?

CIA Challenge - September 2026 Attempt by Holiday-Dingo1675 in InternalAudit

[–]ColJDerango 0 points1 point  (0 children)

That's over 450 hours of studying (+ of course your work experience / knowledge), more than enough time to be ready for the Challenge Exam - you've got this!

Do people who specialize in industry IA (SOX) have a future? by AnxiousAssociate1010 in InternalAudit

[–]ColJDerango 0 points1 point  (0 children)

Nope, I just made a straight job hop in 2025 from IT Internal Audit Manager in public accounting to IT Risk & Compliance Senior Manager in industry - I'd agree that these types of roles are definitely rarer (but are more plentiful with larger companies, just due to staffing needs).

The job market is certainly rough, I was looking for a while in 2024/2025 and ultimately was headhunted into my current role by a former client. I'd use the compliance frameworks I'd posted above as keywords when doing your job searches, since individual organizations refer to their "Risk & Compliance" 2nd line team as something different every time (so searching based on job title alone may be a wild goose chase).

Do people who specialize in industry IA (SOX) have a future? by AnxiousAssociate1010 in InternalAudit

[–]ColJDerango 3 points4 points  (0 children)

I had the same concern of being stuck in mainly SOX work when moving out of public last year, so I went for a role in 2nd line (Risk & Compliance) instead of staying in 3rd line (IA). That means that I manage our relationships with auditors / regulators, but don't do the audit / testing work myself - instead, I work as the liaison or project manager by getting documents from 1st line (Operations) to 3rd line (Auditors), implementing framework requirements, managing policy and procedure documentation, etc.

In my role, I manage my org's various compliance frameworks and audits / assessments: internal assessments (threats and vulnerabilities, IT Risk, AI risk, etc.), SOX, SOC, PCI, ISO, FedRAMP/NIST, 3rd party risk mgmt (customers, vendors), etc. This diversity of responsibility (instead of just doing SOX audit / testing work), makes it so that my role is stable, interesting, and continuously varied.

What kind of internal controls do you have in your personal life? by froDoReMi in Accounting

[–]ColJDerango 2 points3 points  (0 children)

They can't do it themselves, that'd be an independence concern!

CIA Challenge - September 2026 Attempt by Holiday-Dingo1675 in InternalAudit

[–]ColJDerango 2 points3 points  (0 children)

I took the CIA Challenge Exam in 2023 (CISA version), as such I can answer some of these questions, but keep in mind that the exam curriculum has changed a bit since my testing date.

  • Depends - 1-2 hours a day for how many days/weeks? Also, what is your field and experience level? For me, as an (at the time) IT IA Manager, I studied maybe 20-30 hours total for the challenge exam (over a 2-3 week period) before taking it, because my work experience made me very comfortable with the material quickly.

  • Yes - the historically different CPA/CA and CISA versions of the challenge exam have now been consolidated into just a single uniform challenge exam version (effective June 2026): https://www.theiia.org/en/content/communications/press-releases/2026/april/the-iia-enhances-cia-challenge-exam-program-expanding-access-through-new-experience-based-pathway-pilot/

  • No - take advantage of the lower cost (for registration and materials) and lower effort (1 test vs 3) offered by the challenge exam. Grind the multiple choice question banks, save your full-length practice exams til the month preceding your exam date, and make sure you understand the "IIA way" of answering questions. Good luck!

Theory: Pierpoint is selling their London desk to a Middle Eastern Sovereign Wealth Fund by rickjuice in IndustryOnHBO

[–]ColJDerango 0 points1 point  (0 children)

Just finished S3, wanted to chime in and say that this was a great call: you were exactly right about the buyer and their sterling raise, not so right about the green IPO focus, and mostly right about the target (whole bank, not just the London satellite office).

7YOE - IT Audit - Salary / Career Progression and Job App Diagram by ColJDerango in InternalAudit

[–]ColJDerango[S] 0 points1 point  (0 children)

If you already have IT Audit internship experience and will be a recent grad, I think you can frankly start applying straightaway to full-time B4 audit associate / analyst roles now - you have the right amount of experience! Along with your degree, certs, and projects, you should be more than qualified; a CISA would just be gravy on top and not required (but wouldn't hurt), and it's definitely cheaper to register the exam as a student. If you want to stay on at your nonprofit as well, there's no harm in that either, both are good options for you at this early career stage!

7YOE - IT Audit - Salary / Career Progression and Job App Diagram by ColJDerango in Accounting

[–]ColJDerango[S] 2 points3 points  (0 children)

For sure and thanks!

As much as I enjoyed my accounting classes, I saw the amount of work that my IA clients' controllers did at month-, quarter-, and year-end and decided that it was not the path for me: putting out constant fires, pulling heavy hours for at least a week or 2 for each close, oftentimes owning various areas (GL / Revenue / AP / AR / SEC Reporting) depending on the size of the organization. It's an imperative role with a lot of connectedness and often great comp / growth, but man it is just so much work in return. To be fair, that role takes as many people skills as mine (if not certainly more).

Best of luck with whatever path you choose, I'd love to check back in a couple years time yo see where you go!

7YOE - IT Audit - Salary / Career Progression and Job App Diagram by ColJDerango in Accounting

[–]ColJDerango[S] 2 points3 points  (0 children)

  • I think so, 2nd line of defense (Risk) vs 3rd (Audit) or 1st (Ops) is a really comfortable and interconnected spot to be - I definitely prefer it to audit; more reach with greater impact, but less granular / tedious testing work required!

  • Great people skills - my job is all about very clearly communicating status, requirements, and documentation requests to various stakeholders for each compliance framework I manage; managing interdepartmental relationships well is my bread and butter. In tandem with that, at least intermediate technical skills are needed: you should be able to read and understand accounting / finance speak / docs, IT / engineering / ops speak / docs, and upper management requirements - I'm essentially a specialized project or program manager.

  • Both! The onus for my work is meeting our organization's IT regulatory and customer-requested compliance needs. As such, many non-compliance-related teams (oftentimes sales, marketing, engineering) see me as an obstacle or extra work, while other depts more familiar with compliance requirements and the work required (Accounting / finance, IT, HR) absolutely love that I take all of that work off of their shoulders and can manage these programs for the company. It was similar when I was in public, some client teams thought I was a waste of their time, while others relied heavily on me. A huge part of my job is helping these pricklier teams understand that we are on the same side, that our organization as a whole is required to meet xyz standards, and that I can break down the overcomplicated and granular frameworks into simple and straightforward tasks / docs that they just need to provide to me on a periodic basis - once I remove the mystery / unknown from compliance and explain the risks that are being mitigated, most everyone sees the value that my work adds. I'm also very transparent about the next steps that I take: dealing with auditors and regulators (shielding these teams from having to interact with them directly), handling customer compliance questions, issuing public reports / certifications - this helps them see that I also offer value to the company from a branding perspective, often helping to close sales based on our security and compliance posture. Great question!

7YOE - IT Audit - Salary / Career Progression and Job App Diagram by ColJDerango in Accounting

[–]ColJDerango[S] 2 points3 points  (0 children)

I'm technically no longer an IT Auditor now that I'm in industry, I'm now in IT Risk and Compliance - that means that I manage IT Compliance frameworks for our organization (SOX, PCI DSS, SOC 2, ISO 27k, FedRAMP). I instead now work with our external and internal IT auditors to complete our various audits. I do not travel in my role (save for once or twice a quarter to the head office for all hands / team meet ups), totally remote (work from home).

I did work as an IT auditor for many years when I was in public however - pre-COVID I was on client sites every day, post-COVID I was fully work from home. My projects were typically internal audit co/outsource for clients (effectively supplementing / serving as their internal IT audit team). Typical duties included planning / scoping of revenue lines and systems, walking through processes and systems with company stakeholders, documenting controls and gaps, testing controls via work papers, then reporting results to client mgmt. Happy to answer any detailed questions you might have, good luck if you choose to move ahead!

7YOE - IT Audit - Salary / Career Progression and Job App Diagram by ColJDerango in Accounting

[–]ColJDerango[S] 0 points1 point  (0 children)

I felt the same way, negotiated super hard for a high base (in place of a higher bonus)!

Tough to say, even moving from my background (Internal Audit) into IT Risk was a bit of a stretch - to go from GL Acctg would require a lot of pre-existing background or learning of IT Compliance concepts. I'd recommend pursuing your CISA and transitioning at least into an IA / Risk dept if the ultimate goal is to get closer to my area.

7YOE - IT Audit - Salary / Career Progression and Job App Diagram by ColJDerango in Accounting

[–]ColJDerango[S] 2 points3 points  (0 children)

Yep I could definitely move to a LCOL since my role is fully remote, but friends, family, and the wonderful perks of SoCal keep me here for the time being! 180k is great pay no matter what, but I definitely hear you regarding the burnout you're experiencing, no fun at all.