Are technically strong IT auditors becoming rare?
We're currently trying to grow our IT audit team with experienced hires, and I'm genuinely wondering whether this is a market issue or whether our expectations are off.
The role includes a mix of SOX ITGC work and broader operational IT audits, so we're looking for people who understand both audit methodology and the technology they're auditing.
What we've been seeing is that candidates often fall into one of two camps:
Traditional IT audit backgrounds with solid audit methodology but fairly limited technical depth.
Cybersecurity/GRC backgrounds with good knowledge of frameworks and compliance, but less understanding of the underlying infrastructure and technical controls.
To be clear, I'm not expecting systems administrators or network engineers. I don't expect someone to configure a firewall or administer Linux servers.
What I do expect is that an experienced IT auditor can have a meaningful discussion with infrastructure teams and understand concepts like networking, identity, operating systems, and common technical controls. Otherwise, it becomes difficult to move beyond checking documentation and confirming that policies exist.
We don't believe compensation is the limiting factor, so I'm trying to understand whether:
This is simply what the European market looks like today.
Our sourcing strategy needs work.
Our expectations are unrealistic.
One concern I keep coming back to is how much value an IT audit function can provide if the team doesn't have enough technical depth to challenge IT teams beyond reviewing documentation and evidence. For operational IT audits especially, I struggle to see how we can provide meaningful assurance if we don't understand the environments we're auditing.
For those hiring or leading IT audit teams, has this been your experience as well? Have you changed where you source candidates, lowered your expectations, or is this just the reality of the market today?