Building an IT Audit Team
As companies continue to develop information security strategies to combat the risks presented by the digital age, methods to ensure compliance with these strategies are becoming increasingly necessary. Without the means to evaluate this compliance along with the efficacy of the strategies themselves, even the most robust information security policy will be ineffective. An information technology audit, which can be defined as a mechanism to examine an organization’s overall security environment as well as the controls governing the information systems (Laudon & Laudon, 2016), is one such way businesses can be certain their security strategies are working as expected and continuing to deliver business value.
Role of an IT Audit Team
An audit is only as good as those completing it, so the IT audit team is a critical piece to ensuring that the expected return on investment is provided by the processes being audited, as well as the audit itself. The role of the IT audit team may vary across organizations, but in general, the IT audit team should aim to accomplish the following:
Promote internal controls
Develop and recommend cost-effective solutions to identified issues
Evaluate and improve internal controls (Davis, Schiller, and Wheeler, 2011).
Cultivating Trust and Achieving Buy-In
While there are a multitude of ways IT audit teams can position themselves to be successful within an organization, perhaps none are more important than building trust and cultivating positive relationships with the other members of the organization. Without established trust, the IT audit team will find it difficult to achieve buy-in from key organizational stakeholders and decision makers. As with any IT-related initiative, a lack of buy-in will ultimately result in the stakeholders failing to acknowledge the IT audit team’s authority and recommendations will not be approved nor complied with. Davis et al. (2011) identify four main ways IT audit teams proactively involve decision makers to ensure their engagement:
Get involved early on in project and process planning
Practice regularly scheduled informal audits to build familiarity with the process
Share knowledge both inside and outside the IT audit team
Use self-assessments to gather information and provide members of the organization with the opportunity to share their thoughts on the controls.
Building an IT Audit Team
Generally speaking, there are six main areas to address when building an IT audit team:
1) Identify the focus for the team
2) Select key positions from which to fill your team
3) Identify key skillsets and experience for team members
4) Decide if outside consultants should be used
5) Decide if co-sourcing should be used
6) Define how the audits will deliver value to the business.
Team members may be recruited internally from key business areas, be external hires, or even be contracted consultants depending on the need, expected project duration, and budget. Generally speaking, it is recommended that the team is built with the expected goals/deliverables in mind, so it’s makeup should reflect the strategic goals and objectives of the organization it is serving.
Example: Auditing an Acceptable Usage Policy (AUP)
Consider the example of an organization looking to measure the compliance and efficacy of an existing Acceptable Usage Policy (AUP). An AUP will cover all IT-related usage, services, software, and hardware, including desktops, laptops, telephones, mobile devices, tablets, and internet circuits. A well-written AUP will define both the prohibited and allowable actions for every staff member and outline the specific consequences for non-conformity (Laudon & Laudon, 2016).
To begin, the IT auditing team must have a clearly defined focus. For purposes of this example, the focus of IT auditing team is to ensure compliance with a recently created Acceptable Use Policy (AUP) as described above. The assembled team will work with the business management team to measure the success of the policy and confirm it does not interfere with the employees’ ability to conduct business.
The team will be comprised of the following roles:
One experienced career auditor to provide strategic oversight, planning, and guidance.
Two internal IT professionals on assignment to the audit team to provide institutional knowledge of the internal systems and processes.
Two recent college graduates or interns to complete the day-to-day tasks while building the skills and experience needed to grow into career auditor roles.
Skill-sets among the team members will vary, but should cover the following: IT auditing, stakeholder relationship building, project planning, business analysis, information security, IT systems (applications), IT systems (hardware), and subject matter expertise specific to the business.
For purposes of this team, external consultants and/or co-sourcing will not be used, unless there is difficulty filling the one or two experienced career auditor roles. If a full-time experienced auditor cannot be found, then an external consultant may be used to provide guidance and train one of the IT professionals or college graduates to become a dedicated IT audit team lead.
And finally, the IT audit team will deliver value to the business as follows:
Validating the efficacy of the AUP
Ensuring that controls are in place to measure and enforce the AUP
Confirming the AUP does not impact the ability for employees to complete their jobs.
Ultimately, the audit team will build relationships with the local business management team, become experts in the business processes impacted by the AUP, and create a traceability matrix mapping controls to the AUP project deliverables. They will ensure that the intended return of investment on the AUP is realized. Recommendations for improvement tied to specific audit findings will be proposed and implemented as needed.
Davis, C., Schiller, M., & Wheeler, K. (2011). IT auditing using controls to protect information assets (2nd ed.). New York, NY: McGraw Hill. ISBN: 9780071742382
Laudon, K. C., & Laudon, J. P. (2016). Management information systems: Managing the digital firm. Upper Saddle River, NJ: Prentice Hall.