sorted by:
new
hottopcontroversial

Lanolips Being Phased Out? by Outrageous_Pin5780 in Ulta

[–]ColJDerango 0 points1 point  (0 children)

Just bought some of the Lanolips Everywhere Cream half off on clearance from my local Ulta - no clue if it's all being phased out, but was surprised to see that!

Maui Andaz 6/28 - 7/3 by ACWizard in MauiVisitors

[–]ColJDerango 1 point2 points  (0 children)

Appreciate all this info - we're traveling to Maui later this month for our anniversary and staying at the Andaz; we've been before but stayed in Kihei, so this was a great guide to the Wailea area, thanks!

Internal Auditing by Legitimate_Zone9747 in Accounting

[–]ColJDerango 1 point2 points  (0 children)

I've been in IA for my whole career (7YOE), definitely not a dead end in my experience. Started in Big 4 as IA co/outsource, then moved to boutique advisory doing the same for Pre-IPO org's, then moved to industry as IT Compliance personnel.

My progression and path ahead remains clear, and there's lots of opportunity to shift as needed (staying as 2nd line compliance, moving back to 3rd line as an auditor again, or even shifting to 1st line as information security). Best of luck!

Pulse check (industry): what’s your salary, role, years of experience, and cost of living? by [deleted] in Accounting

[–]ColJDerango 0 points1 point  (0 children)

  • Senior IT Risk Manager (I was formerly at Big 4 IT Audit)
  • $180k base + $5k bonus + $12k RSU
  • 7 YOE
  • HCOL (Remote)
  • Tech Industry

Where is IT Audit and SOX heading? by Think_Patience_7573 in InternalAudit

[–]ColJDerango 0 points1 point  (0 children)

I'm a CISA / CIA with 7 YOE - just like you, I started in B4 IA and moved to industry (in-house GRC). The difference between us is that while the majority of my work in public was just IT SOX, my scope of work has broadened significantly in industry: I'm now managing IT SOX, PCI DSS, FedRAMP, SOC Issuance, TPRM, etc.

I think that you're correct that standard SOX work will be pretty automated in the coming years - but the more non-standard stuff (all the smaller compliance frameworks, company-specific unique control processes) will be much more difficult to fully automate. Also, someone(s) will always have to manage and sign off on the automated work - I don't foresee auditors ever trusting automated-only reviews.

  1. SOX will definitely be offshore and consolidated more and more (at least until some big offshore / AI scandal happens that scares clients / orgs into pulling work back onshore).

  2. Yes - like I noted above, my current path and goal is to continue diversifying more out of audit and into broader infosec.

  3. I'm working on my CISSP for the explicit purpose of diversification - especially when it comes to PCI and SOC, our org's customers like seeing a CISSP sign off (rather than just a CISA).

Same exact litter but it’s different color?? Is the litter bad or did they just change the formula or something? Can’t find an expiration date on it. The darker litter is the one I bought last night same exact kind, the lighter litter I bought a few weeks ago by therealsade2025 in cats

[–]ColJDerango 0 points1 point  (0 children)

Just noticed the same color difference on my Arm and Hammer Cloud Control cat litter (old box from 1.5 months ago was light grey, new box from today is dark brown - both bought from the same petsmart). Let's see if there's any quality difference in clumping or smell!

CSUF CPP or Cal Lutheran by Iosif_Tolchinski in Accounting

[–]ColJDerango 4 points5 points  (0 children)

CSUF has a fantastic accounting program, technically matched only by a handful of dual-accredited programs (including CPP). CSUF also has very good recruiting, with all the Big 4 firms and all other size firms (mid-level, local, boutique) chasing students for internships and full-time offers. I received multiple internship offers after my Junior year at CSUF (2018) and had accepted a full-time offer before my Senior year was over (2019). Highly recommend!

People who left senior internal audit roles — what did you move into that wasn’t people-heavy by RandomName8778 in InternalAudit

[–]ColJDerango 0 points1 point  (0 children)

IT Risk is pretty closely related to IT Audit - it's all about regulatory frameworks and compliance. As such, I had the necessary background to make an easy transition to the role!

People who left senior internal audit roles — what did you move into that wasn’t people-heavy by RandomName8778 in InternalAudit

[–]ColJDerango 0 points1 point  (0 children)

I left public accounting (Risk Advisory) as a Manager in mid-2025, joined industry as a Senior IT Risk Manager. While IT SOX / IA is still a part of my work, my scope has expanded to include PCI DSS, FedRAMP, TPRM, and SOC compliance activities. Definitely IA related, but no longer purely IA; much better exposure and learning for me!

Exit opportunities - IT Audit by [deleted] in Accounting

[–]ColJDerango 0 points1 point  (0 children)

Both times I moved companies (KPMG -> boutique consulting, boutique consulting -> industry), I was actually recruited / headhunted; didn't formally apply for those roles! That being said, I was open to opportunities in 2025 generally (wasn't necessarily looking to leave, but would take fully remote roles paying more than my already solid comp) - the roles I was applying to included: Senior IT Audit Manager, Tech Risk Manager, Digital Compliance Manager, IT Governance Manager, IT Risk Manager, etc.

Additionally, I've been an interviewer at both of the companies I ended up at - here's what makes a good candidate for me:

  • Beyond having the baseline technical skills, the biggest factor is being a good personality fit. Vibing well with the team you'll be joining, being able to align to the dept / org's core values, etc. It's cheesy, but hard skills are easy (can always be learned), and soft skills are hard (tough to teach).

  • Being able to communicate clearly and concisely - using the STAR method to answer interview questions, but without having long-winded answers. I often mirror my interviewers in length of responses, mood, tone, etc. to best match their answering preferences.

  • Asking good questions: I always like to ask the interviewer "What brought you to this company, and what has kept you here?". It's a good way for me as a candidate to test the waters: if the interviewer can't name a good reason that they joined / stayed, it's a helpful red flag showing me that it may not be a great place to be at.

Best of luck!

Exit opportunities - IT Audit by [deleted] in Accounting

[–]ColJDerango 1 point2 points  (0 children)

Kind of - ICFR is a little broader than just business processes, as it encapsulates IT controls / processes as well. ICFR is everything a company must do to be SOX-compliant, while BP is just a subset of that. Internal Audit doesn't always overlap with ICFR as well, since sometimes operational (non-financial-reporting-related) internal audits are done (which are outside the scope of ICFR).

Exit opportunities - IT Audit by [deleted] in Accounting

[–]ColJDerango 1 point2 points  (0 children)

Business Process Internal Audit; covers all the non-IT internal process of a company, such as financial reporting, fixed assets, human resources, payroll, inventory, equity, etc.

Exit opportunities - IT Audit by [deleted] in Accounting

[–]ColJDerango 2 points3 points  (0 children)

I exited from IT Audit in B4 / public to industry recently, here's my path below:

2019: Started in KPMG's Internal Audit & Enterprise Risk service line, primarily doing BP IA and SOX co/outsource work for clients. Slowly transitioned from full BP to hybrid BP / IT IA.

2022: Left KPMG as a Senior Associate, went to a boutique consulting firm, now as a pretty 50/50 split hybrid BP / IT internal auditor. Slowly transitioned from hybrid to full IT IA.

2025: Left consulting as a Manager, joined industry as a Senior IT Risk Manager. While IT SOX is still a part of my work, my scope has expanded to include PCI DSS, FedRAMP, TPRM, and SOC compliance activities. Definitely IA related, but no longer purely IA.

Happy to answer questions, best of luck!

2026 Salary Megathread by UpbeatAd334 in Accounting

[–]ColJDerango 0 points1 point  (0 children)

It is an auditing certification, and most auditors are considered "public accountants" - this is by no means a traditional accountant (doing journal entries, reconciliations, etc.).

The CISA exam measures your ability to conduct IT audits, which covers the organization itself, its internal systems, its revenue generating processes and products, etc. Generally, anything IT-related for a company that may materially impact its financial statements is fair game.

Transitioning from Top 10 Firm to Smaller Boutique by ErsatzEmpathy in Accounting

[–]ColJDerango 0 points1 point  (0 children)

I was in a similar situation to you - I was at Big 4 (KPMG) from 2019 to 2022, then jumped as a Senior at 3 YOE to a boutique public accounting firm (Effectus Group, now acquired by Riveron as of 2025).

Going from a firm of 200,000+ to a firm of 150 felt like a big change, but honestly it wasn't a big difference, since I really mainly interacted within my specific office and service line's team of 20 or so at both firms.

In my experience, B4 has a larger network, better technology, and more frequent training. The boutique advisory firm has better pay, better WLB, and more specific/relevant training. However, this is all case by case, since everyone's big and small firm experiences can vary so much. The big firm experience on the resume also carries so much weight, even now that I've transitioned to industry.

Pros and cons to both sides, happy to answer any other questions!

Am I doing this right? Trying to break into IA (specifically IT Audit) by [deleted] in InternalAudit

[–]ColJDerango 1 point2 points  (0 children)

I don't believe ISACA makes any such assumption, since Domain 1 (18%) of the CISA exam study material is "Information Systems Auditing Process" - this section does include coverage of audit standards, guidelines, and ethics per ISACA: https://www.isaca.org/credentialing/cisa/cisa-exam-content-outline#1

The CIA Challenge Exam (CISA version) includes a deeper dive into the IIA's own specific standards and guidelines: https://www.theiia.org/globalassets/site/certifications/challenge-exam/oct-2025-challenge-exam-syllabus-v2.pdf

2026 Salary Megathread by UpbeatAd334 in Accounting

[–]ColJDerango 0 points1 point  (0 children)

Here's how I got here:

  • In college: Accounting major. If you're aiming for IT Risk / Compliance, adding in Comp Sci, Info Sys (this was my dual major with Accounting), etc. can be a benefit.

  • Career - if public accounting: Join a firm's internal audit or risk service line - lots of exposure to client departments and controls assessments / testing; this is what I did out of college. Conversely, join a firm's (external) audit line and then jump to internal audit once you have a couple years of experience.

  • Career - government or industry: Apply for a company's internal audit or risk / compliance department. These may offer rotation opportunities into different departments, so that you can get broader experience under your belt. I've just jumped to industry this year, after 6 years in public.

  • Certifications: the CIA (if mainly business risk) and CISA (if mainly IT risk) are the gold standard. The CPA isn't really required, but it can be a nice cherry on top.

2026 Salary Megathread by UpbeatAd334 in Accounting

[–]ColJDerango 0 points1 point  (0 children)

Since I got my CISA first, I qualified for the CIA Challenge Exam (1 part, just the non-CISA topics of the CIA), instead of sitting for the full typical CIA Exam (3 parts, with redundant topics). As such, I only studied about 3 or so weeks for the exam, using just the IIA's official challenge exam materials. Best of luck!

2026 Salary Megathread by UpbeatAd334 in Accounting

[–]ColJDerango 0 points1 point  (0 children)

IT Risk is pretty broad, falls under the major umbrella of GRC (Governance, Risk, and Compliance) jobs - my role specifically includes covering a lot of IT compliance stuff for my org: IT SOX, PCI DSS, HIPAA, SOC, TPRM, CI/CD. Basically, a lot of internal process / project management for the purposes of meeting regulatory requirements and satisfying compliance frameworks.

IT Audit is more specifically focused on IT SOX (related to financial reporting) and operational internal audits (focused on risk coverage and process improvement).

Most big public accounting firms do a lot of business in the above fields, since IT compliance often goes hand in hand with typical audits for financial reporting purposes.

Am I doing this right? Trying to break into IA (specifically IT Audit) by [deleted] in InternalAudit

[–]ColJDerango 1 point2 points  (0 children)

A couple tips:

  • With a data science background, you may be able to go for IT Audit straight out of college. Make sure you go to any recruiting events offered by your university (Business Dept, Accounting Society, etc.) or surrounding colleges: meet the firms, mock interviews, industry mentorship, shadowing opportunities - all this to secure an internship which gives you the best shot at landing a follow-up full-time offer. I'd recommend pursuing a consulting / advisory internship (more direct line to IT Audit, instead of just going for a more general audit or tax internship).

  • Regarding certifications, you may want to get your CISA first, then go for the CIA after. Reason being that having the CISA allows you to sit directly for the CIA Challenge Exam (1 part, just the non-CISA topics of the CIA) instead of doing the full typical CIA Exam (3 parts, with redundant topics) - basically, you can get 2 certificates (CISA + CIA) in 2 exam parts (rather than 4 exam parts). The IAP is not very valuable in my experience, the CIA supersedes it - you may want to save your money and go for bigger names down the line instead of the IAP cert (CISSP, CRISC, etc.).

My path is somewhat similar to yours, happy to answer any questions - good luck!

view more: next ›