If you want to have an effective IT audit team, you must invest time and money into keeping their skill sets up to date. Training is essential for IT auditors because technologies and techniques change constantly. Your auditors won't be supporting the technologies day to day (which necessitates keeping up with changes), so if you're not intentional about maintaining your expertise, your team's knowledge will quickly become outdated. It's never fun when you take your department's expert with you to a meeting and you find out that he or she has become a "dinosaur" because he or she doesn't know the latest developments.
Fortunately for the auditor, a wealth of training exists to keep skills sharp and up to date. The time away from formal audits and the cost involved in the training pay dividends in building a knowledgeable and effective team of auditors. Consider the following as sources for keeping the team's expertise up to date.
Each auditor generally should be given the opportunity to attend one of two outside training classes or conferences each year. If chosen wisely, they're a great way for the auditor to have a week of concentrated focus on learning something new. Common vendors in this space include SysAdmin, Audit, Network, Security (SANS), the MIS Training Institute, and the Information Systems Audit and Control Association (ISACA). It is important to pick the training classes wisely. Look for technical training classes that provide hands-on activities because they are much more likely to be teaching real technical skills. Too many technical training classes are focused at a high level and consist solely of looking at slides. It's very difficult to learn a technical skill without touching the technology. Shy away from classes that are purely theoretical in nature or focus solely on soft skills unless they meet one of your specific objectives. Look instead for classes that deal with how to audit and secure specific technologies and that provide hands-on illustrations of how to do so. Also look for training classes related to technologies that you actually will be auditing in the near future. Training that is not used quickly is lost quickly. Even though training classes are an important component of maintaining expertise, it is not realistic to think that it will be the only source of knowledge. It is simply cost prohibitive to send someone to a class every time you need to learn something. Therefore, the options below are as important as (if not more so than) formal training classes and conferences.
Consider providing dedicated time for your IT auditors to perform research and learning activities. Give them a week here and there where the only objective is for them to perform self-study activities. Make sure that they have the leeway they need to purchase books to aid in this effort. This time also can be used to create or enhance standard audit programs/tools for auditing common technologies at the company.
Closely related to research time, you might consider having one or two auditors specialize in each of the core technologies that the IT audit team will be auditing. These people become your resident experts, and they are responsible for keeping up with the technologies and maintaining the department's tools related to auditing those technologies (using dedicated research time, as mentioned earlier). They also would be responsible for providing assistance to other IT auditors who are performing audits dealing with those technologies. These specialists would be the primary points of contact for others within the company who might have questions regarding controls in those areas. They are also your top candidates for establishing liaison relationships (as discussed earlier in this chapter) with management of teams supporting those technologies.
We talked about training earlier. Training is a high-dollar method of maintaining expertise, and you need to make sure that you fully leverage that investment. Too often people come back from training, stick their training books on the shelf, and never think about the class again. People should be held accountable for making full use of the knowledge they receive at a training class. Consider implementing a requirement that each person must do some sort of knowledge sharing on return from a class. The method of delivery should be flexible in order to allow the auditor to apply judgment. Potential delivery methods include holding a short training session for the rest of the department, creating or enhancing a standard audit approach for the topic, creating or enhancing tools to automate and/or analyze the technology, and creating a knowledge-sharing document that highlights key learning from the training. The key is that there should be an expectation and accountability that the auditor will bring something back to the department once training is complete.
There are a number of certifications that are relevant to the IT audit profession, the most prevalent of these being the CISA. Another one that is becoming more popular among auditors is the CISSP. Certifications are a good way to ensure that auditors have a basic level of understanding, as well as to enhance the pedigree of the department (lots of audit directors like to brag to the audit committee about how many certifications the audit department has). There's wisdom in encouraging auditors to receive these certifications because undoubtedly they will enhance their knowledge in the process of examination preparation.
As you can see, there are a number of options for ensuring that the IT audit team has the appropriate level of knowledge or expertise. In an ideal world, it is best to implement a combination of all these things. However, the important thing is to be deliberate about establishing the methods that will be used. If you take your eye off the ball on these, you'll find that the world quickly passes you by and you lose the expertise and credibility necessary to accomplish your mission of promoting internal controls at the company effectively.
In addition to maintaining technical skills, it is critical for auditors to develop and maintain key soft skills such as communication, presentation, and writing skills. While dedicated training classes often can be useful in strengthening these skills, they are not always necessary. However, it is important for audit management and team leaders to constantly emphasize the importance of these skills and coach the audit team in identifying opportunities to strengthen them.