These are people who are subject matter experts on technology but have no experience with auditing. These auditors can bring incredible maturity of understanding to your team in their specific field of expertise, allowing you to enhance your audit approach and audit tools for reviewing those technologies. However, it is tough to find the right personality fit. There are some common pitfalls of which to be aware.
These auditors can do wonders for your ability to perform in-depth value-added audits and to really speak the language of your customers. They bring credibility to your organization because they've done what your customers have done.
Many IT professionals get their job satisfaction from touching and supporting the technology day to day. When they join an IT audit team, it is a shock to their system, and they find that they've lost the part of their job that they enjoy the most. Although they are working with technology, they are not responsible for operations and are instead looking at other people's environments. When recruiting IT professionals, it is important to be up front with them about this aspect of the job so that they are coming in with their eyes open.
It is also important to find someone who has shown that he or she can learn new things quickly. Maybe in the old job, all he or she did was support Unix. In the auditing job, however, such a person will audit Unix sometimes and also every other significant technology that exists at the company. You want people who are quick learners and also enjoy learning new things.
Another downfall of these sorts of auditors is that sometimes IT professionals never really "get it." They never really develop the ability to perform complex risk assessment, especially when it comes to examining processes (as opposed to looking at technical settings within a technology). They need to be able to examine a beginning-to-end process and determine where the holes are, and this is a skill that often does not come easily to people who have been supporting a specific technology day to day. During the interview process, it will be important to gauge the potential auditor's ability to "think like an auditor" by posing some scenarios and examining how his or her mind works.
It is also important to find technical professionals with the appropriate communication skills, both oral and written. They must have the ability to explain technical concepts and issues at all levels. They must be able to explain their concerns in a way that convinces the most technical person and also in a way that will allow senior management to understand the concern to the extent that they can understand the need for action. During the interview process, get these prospective auditors to explain a technical concept to you in order to see if the basic communication skills are there.
You also will find that a common weakness of this type of auditor is documentation skills. They're not used to the process of documenting their work in the orderly fashion required for audit workpapers. You'll have to spend time coaching them on how to get what's in their head into the workpapers.
These auditors also generally come from three sources.
Technical professionals from within your company This profile is the ideal. Not only do such auditors provide you with detailed knowledge of the technology they've been supporting, but they also understand how the company's specific processes work. In addition, they're likely to have many relationships throughout the company and bring instant credibility to the IT audit team. This name recognition can be invaluable. Of course, you'll need to be careful not to assign them to directly audit the area they just came from, at least for a while. Another benefit is that it increases the integration, from a career development standpoint, of the IT audit team with the rest of IT. It is encouraging for the IT audit team to see movement back and forth between IT audit and the rest of IT. Although it is possible that an IT professional could rotate to IT audit and decide to make a career of it, it is more likely that he or she will rotate back to IT after a while. This helps your company's goal of retaining top talent because the IT audit team becomes more likely to look within the company when it is ready to move. As you move people in and out of the IT audit department, it becomes more and more natural, and the IT audit team becomes an area that people in IT consider while planning their careers.
Technical professionals from outside your company These people can bring excellent depth of technical understanding with them, along with some knowledge of how other companies have implemented internal controls. However, you will have to teach them how your company's IT environment works, along with teaching them how to audit.
College hires It will be rare to find someone who obtained a nonaudit technical degree but wants his or her first job to be in auditing. However, it can happen, and there can be some benefits to bringing in the right people who fit this profile. Look for someone who will bring fresh energy to the team, along with "book knowledge" of the latest technologies.