Looming deadlines for Sarbanes-Oxley Act compliance have led accounting firms and other companies that are scrambling to comply with the financial-reporting law to ramp up their recruiting of workers who have essential IT auditing experience.
For instance, Jose L. Carrera Jr., an enterprise risk management practice leader at accounting firm Singer Lewak Greenbaum & Goldstein LLP in Los Angeles, last week said he recently received job offers from two Fortune 250 companies seeking to hire IT audit directors.
Carrera said one company told him he would get a $40,000 bonus if he worked there for at least a year. The other company, an electric utility, is offering an "impressive" salary bump, a generous relocation fund for his family and a handsome stock-option package, Carrera added. "If I move, I can add a nice little chunk to my 401(k) retirement program," he said, noting that he hasn't decided yet whether he will take either job.
Others agreed that IT audit professionals like Carrera are in big demand as large companies race to document their internal IT and financial controls to meet the Sarbanes-Oxley compliance deadlines set by the U.S. Securities and Exchange Commission. The deadlines will begin taking effect with fiscal years that end on or after Nov. 15, so companies that report their results on a calendar-year basis will need to comply by year's end.
The so-called Big Four accounting firms can't find enough people to help their clients do the documentation work mandated by Section 404 of Sarbanes-Oxley, said Marios Damianides, international president of the Information Systems Audit and Control Association and the Information Technology Governance Institute, which are both in Rolling Meadows, Ill.
Damianides, who is also a partner in the technology and security risk services group at Ernst & Young LLP in New York, predicted that the shortage of IT auditors will become even more severe this summer, when companies begin testing their systems for Section 404 readiness in earnest.
That could pose a problem for many companies because accounting and consulting firms are actively recruiting IT auditors from the customers they're working with, said Stan Lepeak, an analyst at Meta Group Inc.
"I think a lot of IT departments are going to be late [in complying], partly because they started late but also because of competition from external auditors," he said. "Companies will face some serious resource constraints."
Lepeak and other observers said some experienced IT auditors are commanding salary increases of 25% or more from recruiters. In other cases, companies are offering only marginal salary increases but are trying to entice auditors with big sign-on bonuses.
Pam Downham, technology and risk services people leader at Ernst & Young, said her company has increased the head count in its IT risk practice by 30% over the past 10 months. It has also more than doubled the number of recruiters who are working for the group from eight to 18 since last August.
Downham, who is based in Indianapolis, added that the IT risk unit still has nearly 200 openings that it's trying to fill by June 30. "We continue to hire like crazy," she said, declining to disclose the IT group's total head count.
Unlike Y2k work, Sarbanes-Oxley compliance efforts are expected to be an ongoing exercise in which companies will have to document their internal controls on a quarterly basis and have them certified by external auditors annually.
As a result, there likely won't be a sudden drop-off in demand for auditors the way there was for Cobol programmers after Jan. 1, 2000. "There will be a bit of a bump [in demand] over the next 12 to 18 months," Lepeak said. "But you'll still need IT auditors around to address changes that occur in the business."
"A year ago, I talked to a guy who said that [Sarbanes-Oxley] would become the 'full employment act' for accountants and lawyers," said Carter Priess, CEO of Pace Solutions Inc., an IT auditing consultancy in Danvers, Ill. "My impression today is that SOX is the full employment act for IT auditors."