In this chapter we have discussed the real purpose of auditing, ways to add value outside of formal audits, how to build relationships, and what the IT audit function should do. However, none of these things is possible without an effective team in place to execute them. In this section we'll discuss how to build and maintain an effective IT audit team.
In the preceding section we discussed different models of the function of the IT audit team. The model you choose will greatly influence how you build your team. As mentioned in that section, some companies really look for their IT audit team to focus their efforts at the application layer. In such cases, people with knowledge of the company's principal applications and the business functions that those applications support are critical. Likewise, if the intent is for the IT audit team to spend its time pulling data for the financial auditors, it will be critical to hire IT auditors with detailed knowledge of data extraction and analysis tools.
However, let's assume that the intent is for the IT audit team to perform comprehensive IT auditing, performing work at all layers of the stack but relying on the financial auditors to be involved in reviewing the finer points of the business application controls. How should this team be staffed? Let's look at the two basic profiles of IT auditors and the pros and cons of each. After this discussion, we'll also look at the option of cosourcing the IT audit function.
These are the people whose entire background basically consists of performing IT audit work at various companies. They generally will have Certified Information Systems Auditor (CISA) and/or Certified Information Systems Security Professional (CISSP) certifications and lots of experience at performing general controls reviews and Sarbanes-Oxley compliance reviews.
It is essential to have some career IT auditors on your team because they are well versed in audit theory and in internal controls at a conceptual level. They understand how the audit process works and the important concepts of testing and substantiation.
However, you don't want to have an entire team made up of career IT auditors. They tend to understand IT in theory, but they usually never have been responsible for day-to-day operations of an IT environment. Their depth of technical understanding is therefore often fairly light, limiting your team's ability to perform in-depth technical reviews. These auditors often stay at the surface general controls review level when performing reviews. Their lack of operations experience can lead to credibility problems with your audit customers because they sometimes can be fooled and often don't have the ability to keep up with their customers when having indepth conversations about issues. When the customers state that implementing a control is technically impossible, these auditors often won't have the knowledge to either refute or validate the claim and won't know of potential alternate mitigating technical controls to suggest. This also sometimes leads to customer complaints because they have to spend too much time training the auditor on the basics of the environment.
These are obviously generalities, and there are plenty of career IT auditors who have extreme technical depth of knowledge. But even then, these auditors are prone to live in a fantasy world where they feel that every control must be fully mitigated, without consideration for the operational impact and the need to perform cost/benefit analyses. Again, it is critical to have some career IT auditors on your team because they form your foundation. However, creating an entire team of these types of auditors likely will lead to your team having a reputation of not really understanding how things work.
Except in rare cases, these auditors will be coming from outside your company (it's highly unlikely that you'll find someone with audit experience already working in your IT organization). There are three basic sources for these auditors.
People with internal IT audit experience at other companies These people are the most likely to come in and quickly contribute. It will be important to ensure that their IT audit shops had the same focus as yours (e.g., if you plan to be a comprehensive IT audit shop, you might not want to bring in someone from an IT audit shop that only reviewed things at the application layer). They are the most likely to have performed in-depth technical reviews and understand the importance of positive relationships with audit customers.
People with external IT audit experience These people can provide a valuable asset to the team, bringing a deep understanding of audit theory. Unfortunately, most of the "Big 4" external auditing companies do not perform in-depth technical reviews. During their IT audits, they tend to skim the surface and focus on generic general controls. It is often difficult to find someone from an external audit firm that really understands the technology he or she is reviewing. These folks are the most likely to hurt your credibility with your audit customers and give you a reputation of not really understanding how things work. They are also the most likely to live in a fantasy land, where they push for all controls to be 100 percent mitigated instead of bringing some perspective to the table that not all issues are created equal.
College hires There are some universities with good IT audit programs. It is possible to hire people from these programs that have a good theoretical understanding of auditing and also have played around with lots of different technologies. The key is to find the truly technical folks, the ones who enjoy learning new things and have an aptitude for it. Obviously, college hires will require more guidance, and you wouldn't want to build a whole team around them, but they can provide a lot of energy to your team and also can bring knowledge of the latest technologies.