Académique Documents
Professionnel Documents
Culture Documents
ASSURANCE SOLUTIONS
IT Audit Staffing
Alternatives
!@#
Table of Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1
Recruiting and Training IT Auditors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
Co-source the IT Audit Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Outsource the IT Audit Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
Proprietary and ConfidentialThis discussion paper contains information that Ernst &
Young considers to be confidential, trade secret and proprietary in nature. This discussion
paper is intended for free distribution to our clients. No part of this discussion paper may
be copied, reproduced or published in any manner without the express written consent of
Ernst & Young.
IT A U D I T S TA F F I N G A L E T NAT I V E S
S E RV I C E L I N E
Introduction
In the past 10 years, computers have evolved from tools that crunch numbers and store
large amounts of data to tools that connect people to each other across distance and
time. The emergence of the Internet as a channel to an organizations customers and
business partners has created more complex companies. Customers and suppliers not
only share money, goods, and services, but information at the point of purchase.
Increased connectivity puts the power of information in the customers hands, and their
ability to self-organize-to communicate with each other-is changing the rules of business. The boundaries separating the inside and outside of organization are blurring.
A fundamental responsibility of internal audit is giving management objective assurance of an organizations activities. There is an increasing demand from management
and audit committees of the board for assurance that systems and networks function
properly, are adequately and efficiently protected from harm and disruption, and will
continue to possess those attributes. Internal audit is also being asked by Information
Technology (IT) management to provide objective advice on how controls can be
designed into technology and systems in order to add value and improve an organizations operations.
The investments required to build and maintain an effective IT audit function to provide
this assurance and consulting activity is growing exponentially. Insight from the internal audit marketplace indicates that most companies have not invested in the required
IT audit resources to adequately cover the IT risks. Internal audit departments, therefore, are often unable to meet their governance responsibilities with respect to the organizations use of information technology and systems. The lack of qualified IT auditors
is the main cause.
The three staffing strategies that can be adopted by internal audit to address the lack of
qualified IT auditors are:
1. Recruiting and training IT auditors.
2. Co-source the IT audit function to address specific skill deficiencies or
staff absences.
3. Outsource the IT audit function.
The advantages and disadvantages of each of these IT audit-staffing alternatives are
presented in this discussion paper.
IT A
U D I T
T A F F I N G
L T E R N A T I V E S
Many organizations cannot afford to take the time that is required to develop existing
IT or internal audit staffs skill sets; or they do not have the supervisory skills to provide the learning environment needed to develop IT audit skills. For this reason, hiring
an individual already trained in IT audit is the only alternative. Such individuals can be
recruited from large companies and Big Five audit firms who have regular programs to
develop IT audit skill sets. The current demand and supply of experienced IT auditors
means that normal internal audit salary ranges are often not sufficient to attract IT
auditors. It may also take many months to fill a position, as there is not a large pool of
skilled IT auditors from which to recruit. If an organization is able to successfully
recruit experienced IT auditors, there is no guarantee that they will retain the skill set
for a long period of time. This is because of the demand in the market place for this
skill set, not only for internal audit, but also for information security positions within
information system departments.
A summary of the advantages and disadvantages of maintaining the IT function
in-house are:
Advantages
Disadvantages
! Can develop skill sets of internal
! May take 12 to 36 months to provide
staff that will allow them to be a
staff with the necessary level of
more valuable asset to the organization.
training to become an effective IT
auditors, depending on which staffing
alternative is selected.
! Can integrate IT audit into operational,
! Difficult to maintain continuity
compliance, and financial audits with
beyond a 2-3 year period.
greater ease.
! Specialized audit skills are difficult to
staff; once skills have been developed,
they may be used infrequently.
! Smaller internal audit groups may not
be able to keep IT auditors sufficiently
challenged; they may be diverted to
perform other internal audit work.
! Independence and objectivity can be
an issue if part-time staff are used to
staff IT audit positions, or, where
company staff are hired and they audit
the area in which they used to work.
! Investment in training, methodology,
and technology is costly.
IT A
U D I T
T A F F I N G
L T E R N A T I V E S
in advance of the work and providing some prediction of the overall demand for services.
In addition, if multiple contractors are used, internal audit will need to address how they
will deal with:
! The learning curve that will exist to bring each contractor up to speed on the
business issues, systems architecture, and risks
! The inconsistencies that will manifest themselves in the IT audit approach
and deliverables
Project-by-project co-sourcing works and looks very similar to outsourcing. The difference is that the contractor has no responsibility for determining which IT audit projects
will be performed and the initial objectives and scope of any of the IT audits is determined by internal audit. This, therefore, means that an IT risk skill set needs to be
retained by internal audit. Alternatively, the determination of IT risks can be contracted
out as a specific assignment. If internal audit intends to co-source all or most of its IT
audit work, then full outsourcing should be considered, as it should result in overall
savings to internal audit.
A summary of the advantages and disadvantages of co-sourcing are:
Advantages
Disadvantages
IT A
U D I T
T A F F I N G
L T E R N A T I V E S
! There must be expanded career opportunities for the current IT staff within the
outsourcer. In this way, existing IT auditors will see the outsourcing as an
opportunity for career development.
! Existing staff should have access to mentors and peers during the transition
process to ensure that the stress of any changes in their jobs are dealt with as
well as possible.
In addition to any staffing issues, there are several other important issues that need to
be addressed during the contracting phase:
! How organization knowledge will be retained as the outsourcer rotates staff. The
outsourcer needs to address how it will retain key organization information as staff
changes. One way this can be addressed is through a project leader who is responsible for relationship management with internal audit, the IT organization as well as all
other business units. Maintaining key client and process documentation in a central
database will serve as a resource for new staff and reduce the learning curve. In
addition, staff members that are rotated to other client assignment for their own personal growth are not lost from the outsourcers organization and are available for
consultations on specific, historical issues.
! How much control internal audit will retain over the IT audit function. Internal
audit should ensure that they are involved in the IT audit work in order to prevent
losing contact with the IT organization. Attending IT audit-planning meetings,
reviewing all reports before they are issued, and attending audit exit meetings can
accomplish this.
! Extent to which existing internal audit methodology, including work paper content
and audit report formats, will be used by the contractor. The more control internal
audit retains, the higher the cost as the outsourcers staff will have their own
approach and report formats that they are trained to use.
! The ownership and storage location of the work papers. Professional practice rules
of the outsourcer may require that they retain a copy or have access to the working
paper storage area used by internal audit. Working paper retention policies may also
have to be reviewed and altered to meet the requirements of both parties.
! The office space and technology needs of IT auditors. Cost savings can be realized
by having the outsourced IT audit staff work out of the contractors offices or require
them to supply their own computers, printers, and office supplies. Any IT needs supplied by the contractor would need to ensure compatibility with existing organization
systems, as the IT auditors will need access to these systems including internal email
accounts and voice mail systems.
! Independence of the Outsourcer. The outsourcer may serve several clients, which
have a similar business or share the same customers. This can be a key benefit in
outsourcing because the outsourcer has good industry knowledge; however, the outsourcer will need to address how it will maintain the confidentiality of information,
particularly competitive information. If the outsourcer is also the external auditor,
there may be issues that internal audit wishes to maintain internal to the organization
until the appropriate time. The outsourcer would need to address how it will maintain
the separation between external and internal audit responsibilities.
Not all issues can be anticipated in the outsourcing contract and new issues will arise.
As outsourcing is a form of partnership, an outsourcing management board composed
of internal audit and outsourcer management staff should be put in place to co-develop
the protocols for the transition and co-ordinate and resolve issues that arise after the
outsourcing contract has been signed. Although an outsourcing contract will have legal
remedies to deal with disputes, the advantages of the outsourcing relationship will be
lost if they need to be invoked; therefore, the outsourcing management board should be
empowered by the outsourcing contract to interpret the outsourcing contract and
develop an appropriate solution that is suitable to all parties.
A summary of the advantages and disadvantages of outsourcing include:
Advantages
! Leverages the outsourcers resources,
including methodology, technology,
tools, and knowledge.
! Increases the access to a larger pool of
experienced IT audit staff, including IT
security specialists.
! Achieves efficient IT audits because of
the large pool of experienced internal
auditors that can be used on an audit,
audit management methodology optimized to reduce audit time, and the
profit motivation of the outsourcer.
Disadvantages
! IT audit is no longer a potential
training ground for internal staff.
! Perceived loss of control over an
important risk management function.
! Retention of corporate knowledge
by the outsourcer.
! The integration of IT audit activities
with operational, financial, and
compliance audits may be difficult.
IT A
U D I T
T A F F I N G
L T E R N A T I V E S
Summary
There is no right or wrong alternative for IT audit staffing. The decision to use a particular alternative will inevitably be a fluid one. Internal audit will need to adopt a staffing
strategy that meets its current needs. The decision to change the staffing strategy will
be driven by the availability of appropriately trained IT auditors, internal audits ability
to recruit and retain IT auditors, inability to provide the required IT risk coverage, the
ability of another alternative to achieve the same risk coverage at a lower cost, budget
availability, or a changing IT risk profile.
E R N S T & YO U N G
www.ey.com