A decade ago, risk management largely meant determining the appropriate insurance policy for the destruction of a building or downtime of a processing plant, and paying the premiums, muses Tony Munns. It's not news to anyone in the accounting community that things have changed dramatically. Risk management, including IT audits, disaster planning, and security, is one of the hottest job areas for accounting firms.
Like what you see? Click here to sign up for Accounting Today's daily newsletter to get the latest news and behind the scenes commentary you won't find anywhere else.
The American Institute of CPAs ranked a series of topics that relate to risk management in the first four of its Top Ten technologies for 2006. These were 1. Information security; 2. Assurance and compliance applications; 3. Disaster and business continuity planning; and 4. IT governance.
There's no surprise that there is a boom in regulation, and a boom in hiring throughout the financial community.
"We certainly had a growth in disaster recovery and business continuity planning as a direct fallout of Hurricane Katrina,'' says Munns, CISA, partner, and head of risk services at St. Louis-based Brown Smith Wallace.
Clifton Gunderson is performing three times as many IT security tests this year as it did last year. Inquiries are up as well, with three or four calls per month, says George Fallon, IT partner for the Peoria, Ill.-based firm.
Sometimes it seems that regulatory issues were only slightly less publicized than the impact of natural disasters. Legislation such as Sarbanes-Oxley and Graham-Leach-Bliley, on top of the demand for disaster recovery and business continuity planning, have converged to drive up demand for IT auditors to perform risk management assessments.
"The amount of work and demand has increased significantly because of those three things," says Lawrence Rieger, executive-in-charge of risk consulting services at Crowe Chizek. "The SOX demand alone has doubled the need for IT risk professionals."
Munns' career at Brown Smith Wallace reflects the growing demand for staff at regional firms. The 32-year old-firm, which had $18 million in revenue in 2005, established its risk management services practice four years ago, by hiring Munns, who came from Arthur Andersen where he was one of six people redesigning the firm's worldwide technology at the end of that organization's existence. He started as the only member of the risk management department. Within four years, the group employed 24 and is continuing to grow.
Risk Management: A Jobs Definition|
With the growing number of risk-management jobs that touch on computer systems, there are also a number of related job titles.
Many of these jobs require experience with specific software packages. Besides looking for those with IT experience, employers also seek candidates with credentials such as the CPA, MBA, CISA, or Certified Internal Auditor. There are also a diverse number of backgrounds sought. In a recent ad for an IT auditor by Robert Half Technology, a client sought those with college degrees in computer science, math, physics, business, IT/IS, or a related field, along with the CISA credential, vendor, and security and technology certifications. In fact, IT audit opportunities range from openings with employers looking for those with accounting and finance backgrounds to those who are more oriented towards prospects with technology credentials.
To define the different occupational slots, here are two titles and the duties as outlined in recent advertisements by the employers. The qualifications listed here are summarized from online ads on Monster.com.
Information security auditor. RSM McGladrey defines this position to include a professional who analyzes and evaluates information technology security risks and controls, provides IT risk-reduction recommendations, develops policies and procedures as they relate to information security, performs general IT control reviews and SAS 70 reviews, designs IT security infrastructure, and participates in IT strategy planning.
IT audit manager. Crowe Chizek puts this manager in close contact with clients in developing comprehensive work plans to review systems and processes and assess business risks. The manager also serves as project leader in executing the systems audit plans supporting SOX Section 404 internal control documentation, and provides detailed recommendations regarding improvement of business systems to ensure all noted deficiencies are addressed.
Brown Smith Wallace recently hired a technology staff auditor to perform internal audit services and Sarbanes-Oxley documentation and testing.
By June, with the demand continuing, the firm estimates it will need another six people to handle its mounting IT, financial, and operational audits. "It's a challenge to find the right caliber of candidates," says Munns.
A Scarce Resource
The situation is the same at Crowe Chizek. Since SOX's passage, the Indianapolis-based firm has tripled the number of personnel in its IT risk management practice. In January, there were 110 employees in the practice, compared with just 30 in 2002.
Even before SOX, Rieger says, there was a rise in demand for IT auditors to manage companies' platforms. By the end of this year, Crowe Chizek wants to add another 40 IT auditors.
"We don't see the demand abating," he says.
The result has been an explosion of advertisements for a variety of related jobs, including IT auditor. That demand has been pushing opportunity downstream, since accounting firms can't provide consulting services to audit clients, which has resulted in a great deal of work falling into the next tier.
The demand is so high that in the fall, UHY Advisors was offering sign-on bonuses. In Europe, Ernst & Young has been recruiting recent college graduates as trainees for IT auditing positions.
The recruiting site Monster.com is full of ads for risk assessment jobs. The key word "IT auditor" easily brings up more than 1,000 postings, with corporations, accounting firms, and recruiters vying for the attention of qualified candidates.
Dixon Hughes finds 75 percent of its IT audit candidates through networking and referrals. The High Point, N.C.-based CPA firm finds the remaining 25 percent via online job boards and through college campus recruitment. For Dixon Hughes, the campus effort is new.
"Last year, we began recruiting on college campuses,'' says Rodney Murray, Dixon Hughes' senior manager for the financial institutions practice.
In January, the company was advertising for a senior information systems auditor. However, the firm's hiring needs go beyond finding one new person. The firm now has seven IT auditors, double last year's total, and is still growing.
Some firms seek professional help. To complement its online search for senior auditors with public accounting experience in auditing internal controls, Cotton & Co. hired a part-time recruiter in October. The search firm is looking for accountants as well as auditors.
"She [the recruiter] has had much more success with the accountants," says Loren Schwartz, CPA, CISA, and a partner at the Alexandria, Va.-based firm.
The firm has since hired 20 accountants and two auditors, raising the latter total to 13. It has interviewed more than 25 candidates for the four auditor positions available now.
Another recruiting challenge faced by Cotton is candidates who claim SOX know-how, but who have little field experience. Schwartz says the Big Four are largely to blame for this phenomenon, since they hire new people, train them quickly, and then put them on SOX engagements to handle the IT portion.
"The problem is a number of people are claiming IT audit experience with six months' SOX experience,'' he says.
Strong demand, of course, means that salaries have risen.
Salaries for IT auditors with little or no experience start around $45,000, with mid-to-senior level candidates garnering between $60,000 to $80,000 and experienced managers receiving six figures.
CPA firms generally don't discuss salaries, nor do they advertise the amounts. However, the recruiting firms do and at the end of January, Robert Half Finance & Accounting was seeking an IT auditor with five to 10 years experience for a national CPA firm. The salary range was a $100,000 to $110,000 base, with bonus potential.
With the escalating salaries, it is also a challenge to retain talent.
Clifton Gunderson boasts of the firm's commitment to work/life balance. "We try to have a good work environment and not to force a lot of overtime on them," says Fallon.
Still, it can be very difficult to hire someone from another firm.
"The cost of attracting and hiring away somebody from a competing firm is very high," says Rieger. "You have to factor in a hiring bonus, compensation for the bonus they were to receive from their former employer, and [the need to offer] a higher salary."
However, quality of life counts. Brown Smith Wallace was able to land Munns, partly because his wife objected to him making a move to another city. It was a similar desire to get off the corporate travel treadmill that enabled the firm to land the practice's co-leader, Ted Flom, a CPA and CISA who spent 12 years with KPMG.
Assembly Line SOX?
Compliance may not be completely suited to techniques used to mass-produce automobiles, but Crowe Chizek is trying to adopt some of the principles of assembly-line production to its SOX business. It hopes the result will be that it can perform more work without ramping up its hiring commensurately.