Of course, it is very possible for people to move back and forth between these two categories. You may bring someone in from IT, and he or she may decide to become a career auditor. Or you may have a career auditor who, after joining your company, decides that he or she wants to move into IT. You should be supportive of people making these transitions. The most successful IT audit shops have a mixture of these types of auditors and provide flexibility to people in managing their careers. There are some companies that have a forced rotation, where the audit department is basically a training ground for the rest of the company. In these companies, people are forced to leave the audit department after a set amount of time (usually two or three years). While this is a good way to train people on the company's processes and technologies, it is not the way to build an effective IT audit team. If the team is experiencing constant turnover, it harms the ability of the department to form a mature foundation to provide for continuous improvement in how the team's mission is accomplished. The team instead is always focused on bringing the new folks up to speed. A great alternative is to have a mix of career and rotational auditors so that you maintain a firm foundation of long-term auditors and also are providing movement back and forth with IT.
As you begin your search to build out your audit team, here are some of the key traits of a successful IT auditor:
Ability to dig into technical details without getting lost in those details.
Analytical skills. It is critical for the auditor not only to understand technologies but also to be able to use that knowledge to uncover risk to the business and apply judgment regarding degrees of risk. This often is not a black-and-white job-you need people who can really think through a process or technology and frame up the risk to the company.
Communication skills (both written and oral). This is a huge emphasis for this job. An auditor must be able to help all levels (from the most detailed technical person to the highest level of management) understand exactly why he or she has a concern with something. This means that he or she must be able to lay it out logically in layperson's terms for management but also explain all the technical details of his or her concern to the people who work in the area day to day.
The ability to quickly learn the key concepts of new technologies and identify key risk points within those technologies.
Willingness not to be touching a specific technology daily. It's important for people to understand that while there is a lot of hands-on work when performing audit analyses, they won't be acting as the administrator of a production Unix box, managing routers, etc.
As you attempt to recruit people out of your company's IT organization, keep in mind the following benefits of the job as selling points:
Exposure to a wide variety of technologies. The audit department will perform hands-on audit work of just about any technology used at the company.
Opportunity to work with many levels of management. Auditors get a chance to work with and present to all levels of IT management in all IT organizations.
Broad view of the company and other IT groups. There are very few jobs that provide an opportunity to work with so many different IT groups. The IT audit job provides an unparalleled opportunity to network and build your career via the development of relationships across the company's IT landscape.
Opportunity to lead projects. Most IT audit groups rotate project leader assignments (after a period of training, of course), giving everyone a chance to direct resources, set project milestones, work closely with management of areas being audited, etc.
Some companies cosource the audit function, bringing in auditors from external companies as supplemental labor. This is a fine thing to do if you have a need for extra resources to meet your audit plan, but it is best to not rely heavily on this approach. The rapport your internally sourced auditor has with the customer creates trust. The ability to build relationships and credibility in the IT organization depends on your internal employees performing the IT audit function and on those employees staying around long enough to build a reputation. Having different contractors and consultants constantly moving in and out is not conducive to the relationship-building goal. However, it does have its place and can be useful in a pinch. It also can be useful when you are auditing technologies that your team doesn't know well and that you don't plan to audit very often. For example, if you have a mainframe operating system and only plan to audit it once every few years, it may not make sense to spend time getting the IT audit team trained on the technology. It may be more effective to just bring someone in who has that expertise to help you out. On the other hand, if you're auditing a technology that's core to the company and that you'll be looking at over and over again, it's worth the investment to get your own team up to speed rather than bringing in someone from outside (or you might look into bringing in someone from the outside once with the understanding that part of his or her assignment will be to provide training and develop repeatable audit steps). If you do bring in cosourcing partners, it is critical that you emphasize to them your customer-oriented approach to performing audits so that they don't mess up the hard work you've put into building positive relationships.