Leads information security audits across enterprise systems β owning audit programs, leading complex investigations, partnering with security and IT leadership on remediation. Senior role inside internal audit, public accounting, or specialized assessor firms.
Most weeks involve leading audit cycles, mentoring junior auditors, and engaging with security leadership. You'll often own scope on complex audits aligned to frameworks (NIST 800-53, ISO 27001, SOC 2, PCI DSS, FedRAMP), lead investigations on suspected control failures or incidents, coordinate with security operations on remediation, and present findings to audit committees, regulators, or client leadership. The work tends to deepen security and compliance fluency in parallel.
What's harder than people expect is the velocity of change β the threat landscape, technology stack, and regulatory expectations all evolve rapidly, and senior auditors need to stay current to remain credible. Variance is meaningful between internal audit at large enterprises (broader scope, integrated risk programs), public accounting (multiple SOC 2 or compliance examinations per year), and dedicated assessor work (PCI QSA, HITRUST, FedRAMP 3PAO). CISA, CISSP, and CISM tend to be table stakes.
People who tend to thrive here are technically credible, patient with documentation, and able to translate between security, IT, and audit perspectives. If you want hands-on security engineering or incident response, the control-testing focus can feel passive. If you find satisfaction in owning the audit perspective on whether an organization is actually secure, the work tends to grow in demand and lead into senior audit leadership, GRC, or CISO-track roles.
Where this role sits in the broader career landscape β and where it can take you.
Roles like this one sit within a broader occupational category. The numbers below reflect that full landscape β helpful for context, but your specific experience will depend on level, specialty, and where you work.
Leads information security audits across enterprise systems β owning audit programs, leading complex investigations, partnering with security and IT leadership on remediation. Senior role inside internal audit, public accounting, or specialized assessor firms.
Median pay for a Senior Information Security Auditor is about $109K nationally, with the field ranging roughly from $53K to $177K depending on experience, employer, and metro (BLS).
Core skills for this role include Reading Comprehension, Critical Thinking, Active Listening, Writing, and Monitoring.
Most people in this role hold a bachelor's degree.
Employment in this field is projected to grow about 8.2% through 2034, with roughly 439,380 people working in it today (BLS).
Closely related roles include Information Security Auditor, Senior Security Specialist, and Senior Security Engineer.
Truest gives you tools to understand your strengths, explore roles that fit, and plan your next move.
Explore Truest career tools