IT R I S K M A NAG E M E N T A N D

ASSURANCE SOLUTIONS

IT Audit Staffing
Alternatives
!@#

Table of Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1
Recruiting and Training IT Auditors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
Co-source the IT Audit Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Outsource the IT Audit Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9

Proprietary and ConfidentialThis discussion paper contains information that Ernst &
Young considers to be confidential, trade secret and proprietary in nature. This discussion
paper is intended for free distribution to our clients. No part of this discussion paper may
be copied, reproduced or published in any manner without the express written consent of
Ernst & Young.

IT A U D I T S TA F F I N G A L E T NAT I V E S

S E RV I C E L I N E

Introduction
In the past 10 years, computers have evolved from tools that crunch numbers and store
large amounts of data to tools that connect people to each other across distance and
time. The emergence of the Internet as a channel to an organizations customers and
business partners has created more complex companies. Customers and suppliers not
only share money, goods, and services, but information at the point of purchase.
Increased connectivity puts the power of information in the customers hands, and their
ability to self-organize-to communicate with each other-is changing the rules of business. The boundaries separating the inside and outside of organization are blurring.
A fundamental responsibility of internal audit is giving management objective assurance of an organizations activities. There is an increasing demand from management
and audit committees of the board for assurance that systems and networks function
properly, are adequately and efficiently protected from harm and disruption, and will
continue to possess those attributes. Internal audit is also being asked by Information
Technology (IT) management to provide objective advice on how controls can be
designed into technology and systems in order to add value and improve an organizations operations.
The investments required to build and maintain an effective IT audit function to provide
this assurance and consulting activity is growing exponentially. Insight from the internal audit marketplace indicates that most companies have not invested in the required
IT audit resources to adequately cover the IT risks. Internal audit departments, therefore, are often unable to meet their governance responsibilities with respect to the organizations use of information technology and systems. The lack of qualified IT auditors
is the main cause.
The three staffing strategies that can be adopted by internal audit to address the lack of
qualified IT auditors are:
1. Recruiting and training IT auditors.
2. Co-source the IT audit function to address specific skill deficiencies or
staff absences.
3. Outsource the IT audit function.
The advantages and disadvantages of each of these IT audit-staffing alternatives are
presented in this discussion paper.

Recruiting and Training ITAuditors

Recruiting and training IT auditors has been the traditional strategy adopted by most
internal audit functions. Three sources of staff can be considered for IT audit positions:
current internal auditors who have some or no knowledge of IT matters, IT staff with
some or no knowledge of IT audit and control skills, or experienced IT auditors from
outside of the organization. The decision to use a current internal audit staff or hire IT
staff or experienced IT auditors will be driven by supply and demand issues.
If the decision is made to use existing internal audit staff to meet the IT audit requirement, then the auditors selected to perform IT audits will need to understand the control risks associated with information technology and application systems and be able
to function within a technical environment. This means the auditor must first understand the concepts of information systems and the control and security risks in the IT
environment. Internal auditors new to IT auditing should begin by learning the necessary controls for application systems. Such auditors need to be able to pinpoint specific IT related controls when auditing currently installed systems or new systems
under development. Once they have achieved a level of proficiency with application
controls, they should then develop a fundamental understanding of the various activities within the information systems department. By obtaining a fundamental understanding of general control issues they can then participate on audits that address
integrity, efficiency, and effectiveness of information systems resources, whether they
are mainframe or client/server. When auditors have achieved this basic level of understanding of IT controls and security, they would then undertake more specialized
courses. Audit staff that take more advanced training should be encouraged to join the
Information System Audit & Control Association (ISACA) as well as study for and
write the Certified Information System Auditor (CISA) exam. At the conclusion of a
three-year period of training and work experience, the organization will have an IT
auditor with a reasonably rounded skill set, capable of performing most IT audits
within the organization.
Recruiting an IT staff member into internal audit can provide great benefits to internal
audit as such individuals have deep technical skills and often have a good knowledge of
the systems and technology in use within the organization. For some time, IT staff have
been in great demand. Consequently, their salary rates are normally higher than those
of other internal audit staff with the same levels of experience and educational qualifications. This makes the initial recruitment of such staff difficult. It is also unlikely that
such individuals will want to stay in internal audit for more than three years, as they
will be concerned with losing their technical capabilities. IT staff will need to receive
IT audit and control skills training and they need to gain a basic understanding of internal auditing. Undertaking the Certified Internal Auditor (CIA) curriculum will provide
individuals with the required skill set, but will take 12 to 18 months. Until such time,
additional supervision and guidance is required of such staff.

IT A

U D I T

T A F F I N G

L T E R N A T I V E S

Many organizations cannot afford to take the time that is required to develop existing
IT or internal audit staffs skill sets; or they do not have the supervisory skills to provide the learning environment needed to develop IT audit skills. For this reason, hiring
an individual already trained in IT audit is the only alternative. Such individuals can be
recruited from large companies and Big Five audit firms who have regular programs to
develop IT audit skill sets. The current demand and supply of experienced IT auditors
means that normal internal audit salary ranges are often not sufficient to attract IT
auditors. It may also take many months to fill a position, as there is not a large pool of
skilled IT auditors from which to recruit. If an organization is able to successfully
recruit experienced IT auditors, there is no guarantee that they will retain the skill set
for a long period of time. This is because of the demand in the market place for this
skill set, not only for internal audit, but also for information security positions within
information system departments.
A summary of the advantages and disadvantages of maintaining the IT function
in-house are:
Advantages
Disadvantages
! Can develop skill sets of internal
! May take 12 to 36 months to provide
staff that will allow them to be a
staff with the necessary level of
more valuable asset to the organization.
training to become an effective IT
auditors, depending on which staffing
alternative is selected.
! Can integrate IT audit into operational,
! Difficult to maintain continuity
compliance, and financial audits with
beyond a 2-3 year period.
greater ease.
! Specialized audit skills are difficult to
staff; once skills have been developed,
they may be used infrequently.
! Smaller internal audit groups may not
be able to keep IT auditors sufficiently
challenged; they may be diverted to
perform other internal audit work.
! Independence and objectivity can be
an issue if part-time staff are used to
staff IT audit positions, or, where
company staff are hired and they audit
the area in which they used to work.
! Investment in training, methodology,
and technology is costly.

Co-source the ITAudit Function

Many internal audit departments will supplement their existing IT auditor(s) with assistance sourced from external companies which specialize in providing staff with IT audit
skills. This strategy, sometimes called teaming, is used to either supplement existing
skills because of staff shortages or to bring in a skill set for a temporary period of time
that is required to perform the IT audit in an efficient and effective manner.
The decision to obtain external IT skilled individuals is normally based on the following criteria:
! An IT audit requires knowledge that goes well beyond the current skill set of
existing IT auditors.
! No external training courses and/or third party audit program/guide is readily
available that would assist an in-house IT auditor with the knowledge required to
perform the IT audit.
! The IT audit would benefit from the use of tools; however, the tools are not a
vailable at a reasonable cost or internal audit does not wish to invest in the training
necessary to use the tools proficiently.
! The knowledge required to perform the IT audit cannot be reused on other IT audits.
There is no long-term value to internal audit for the investment they would have to
make in training, third party audit programs/guides, and/or tools.
! There is a staff vacancy as a result of maternity leave, leave of absence, or
unexpected termination.
There are two co-sourcing strategies:
! Contracting individualsContract individuals for a fixed period of time, normally
related to the internal audit project duration. Such individuals usually work under
the control of the IT audit project manager and perform work that in-house IT auditors are unable to perform. Contracting such individuals is normally done on a daily
rate basis. In addition, there are restrictions in the way contract internal auditors can
be deployed and used in order to avoid the appearance of an employee/employer
relationship. This is an important consideration when hiring self-employed, private
contractors.
! Project-by-project co-sourcingContract a firm to conduct an entire IT audit.
Different from contracting for an individual, the outsourcer is given authority to perform the entire IT audit with their staff, subject to any methodology and delivery
considerations built into the contract. Project-by-project co-sourcing is normally
done on a fixed fee arrangement.
If internal audit intends to use co-sourcing frequently, as a means of deal with skill and
staff shortages, then an overall strategy should be developed on how contracted services
will be acquired. If internal audit relies on a RFP process for each audit it co-sources,
significant time will be spent in selecting the contractor and the marketing time
incurred by the contractor will ultimately be reflected in the pricing of the work proposed by the contractor. Cost savings can be achieved by pre-selecting contractors well
4

IT A

U D I T

T A F F I N G

L T E R N A T I V E S

in advance of the work and providing some prediction of the overall demand for services.
In addition, if multiple contractors are used, internal audit will need to address how they
will deal with:
! The learning curve that will exist to bring each contractor up to speed on the
business issues, systems architecture, and risks
! The inconsistencies that will manifest themselves in the IT audit approach
and deliverables
Project-by-project co-sourcing works and looks very similar to outsourcing. The difference is that the contractor has no responsibility for determining which IT audit projects
will be performed and the initial objectives and scope of any of the IT audits is determined by internal audit. This, therefore, means that an IT risk skill set needs to be
retained by internal audit. Alternatively, the determination of IT risks can be contracted
out as a specific assignment. If internal audit intends to co-source all or most of its IT
audit work, then full outsourcing should be considered, as it should result in overall
savings to internal audit.
A summary of the advantages and disadvantages of co-sourcing are:
Advantages

Disadvantages

! Specialized IT audit staff can be

obtained on an as-needed basis.

! Can provide new and different insights

into audit issues.

! Access to the contractors

resources, including industry
leading practices, methodology,
technology, tools, and knowledge.

! The contractor is normally obligated to ensure

that all contracted positions remain filled.

! Knowledge transfer between the

contract IT audit staff and inhouse internal audit staff.
! Audit work will be done efficiently. This is because the work
scope and objectives are usually
well defined. In project-by-project outsourcing the contractor is
normally held to a fixed fee. The
contractor will also be
motivated to exceed deadline
expectations to foster future contract considerations.

! Must maintain IT audit resources to

perform the routine audits. Auditors
assigned to these audits may react
negatively to specialized (i.e., interesting)
audit areas being given to hired guns.
! More costly than full outsourcing on a per
person basis because every project requires
a selection process. The outsourcers selling
and downtime costs are built into the indi
vidual project fees.
! The company retains the costs and
problems of recruiting and training all
remaining full-time internal auditors.
! Full-time staff may become dissatisfied
when contract staff are managed in
accordance with different human resource
practices, including compensation, hours
of work, and training opportunities.
! Typically, contractors are not obligated to
invest the time to develop a detailed
understanding of the company and its culture.
Their job is to do the assigned task and leave
the company for yet another assignment
elsewhere.

Outsource the ITAudit Function

By outsourcing the IT audit function, the outsourcing contractor will assume the
responsibility for fulfilling the IT audit mandate on behalf of internal audit. This does
not mean that internal audit has outsourced their accountability for the performance of
IT audit, just the responsibility.
Internal audit will normally consider outsourcing its IT audit function for one or more
of the following reasons:
! Challenges associated with staffing and retention of IT auditors as well as training
and supervision
! IT risks are influx because of changes in the IT infrastructure and systems and it
is difficult to maintain the skills necessary to deal with both the legacy and the
new systems
! IT risks in the organizations can not justify a full-time IT auditor or only one IT
auditor is justified and the organization can not afford the cost of back-up staff in
the event of a maternity leave or a short-term disability
Outside organizations specialized in outsourced IT audits can meet these challenges
because their human resource policies are attuned to the needs of specialized IT audit
staff and they are regularly recruiting and training such staff. Very experienced IT
auditors are attracted to join such organizations because of the diverse client base,
training that is offered, the ability to confer with staff with similar skill sets, and the
software tools and research databases that such firms can offer.
If no existing IT audit capability currently exists, outsourcing IT audit is relatively
easy. If IT audit staff are currently in place, this becomes a key consideration in
approaching the question of outsourcing IT audit. It is very important that existing IT
staff be treated fairly and in a dignified manner. The transition plan for dealing with
the existing staff is therefore a critical issue as is communication to these staff leading
up to the decision to outsource and subsequent to making the decision.
The outsourcing transition plan should provide for the following:
! The involvement of human resources staff of both parties. By involving human
resources, they can manage the transition of staff from one organization to the other
because they are familiar with the people issues, compensation plans, benefits, as
well as the laws and regulations.
! IT staff members should be given the opportunity to interview for a position in the
outsourcing services practice. Appropriate severance arrangements should be in
place to deal with staff that choose not to join the outsourcer or who are not given
offers by the outsourcer.
! The salary and benefits offered by the outsourcer must be competitive with the
current market.

IT A

U D I T

T A F F I N G

L T E R N A T I V E S

! There must be expanded career opportunities for the current IT staff within the
outsourcer. In this way, existing IT auditors will see the outsourcing as an
opportunity for career development.
! Existing staff should have access to mentors and peers during the transition
process to ensure that the stress of any changes in their jobs are dealt with as
well as possible.
In addition to any staffing issues, there are several other important issues that need to
be addressed during the contracting phase:
! How organization knowledge will be retained as the outsourcer rotates staff. The
outsourcer needs to address how it will retain key organization information as staff
changes. One way this can be addressed is through a project leader who is responsible for relationship management with internal audit, the IT organization as well as all
other business units. Maintaining key client and process documentation in a central
database will serve as a resource for new staff and reduce the learning curve. In
addition, staff members that are rotated to other client assignment for their own personal growth are not lost from the outsourcers organization and are available for
consultations on specific, historical issues.
! How much control internal audit will retain over the IT audit function. Internal
audit should ensure that they are involved in the IT audit work in order to prevent
losing contact with the IT organization. Attending IT audit-planning meetings,
reviewing all reports before they are issued, and attending audit exit meetings can
accomplish this.
! Extent to which existing internal audit methodology, including work paper content
and audit report formats, will be used by the contractor. The more control internal
audit retains, the higher the cost as the outsourcers staff will have their own
approach and report formats that they are trained to use.
! The ownership and storage location of the work papers. Professional practice rules
of the outsourcer may require that they retain a copy or have access to the working
paper storage area used by internal audit. Working paper retention policies may also
have to be reviewed and altered to meet the requirements of both parties.
! The office space and technology needs of IT auditors. Cost savings can be realized
by having the outsourced IT audit staff work out of the contractors offices or require
them to supply their own computers, printers, and office supplies. Any IT needs supplied by the contractor would need to ensure compatibility with existing organization
systems, as the IT auditors will need access to these systems including internal email
accounts and voice mail systems.
! Independence of the Outsourcer. The outsourcer may serve several clients, which
have a similar business or share the same customers. This can be a key benefit in
outsourcing because the outsourcer has good industry knowledge; however, the outsourcer will need to address how it will maintain the confidentiality of information,
particularly competitive information. If the outsourcer is also the external auditor,
there may be issues that internal audit wishes to maintain internal to the organization
until the appropriate time. The outsourcer would need to address how it will maintain
the separation between external and internal audit responsibilities.

Not all issues can be anticipated in the outsourcing contract and new issues will arise.
As outsourcing is a form of partnership, an outsourcing management board composed
of internal audit and outsourcer management staff should be put in place to co-develop
the protocols for the transition and co-ordinate and resolve issues that arise after the
outsourcing contract has been signed. Although an outsourcing contract will have legal
remedies to deal with disputes, the advantages of the outsourcing relationship will be
lost if they need to be invoked; therefore, the outsourcing management board should be
empowered by the outsourcing contract to interpret the outsourcing contract and
develop an appropriate solution that is suitable to all parties.
A summary of the advantages and disadvantages of outsourcing include:
Advantages
! Leverages the outsourcers resources,
including methodology, technology,
tools, and knowledge.
! Increases the access to a larger pool of
experienced IT audit staff, including IT
security specialists.
! Achieves efficient IT audits because of
the large pool of experienced internal
auditors that can be used on an audit,
audit management methodology optimized to reduce audit time, and the
profit motivation of the outsourcer.

Disadvantages
! IT audit is no longer a potential
training ground for internal staff.
! Perceived loss of control over an
important risk management function.
! Retention of corporate knowledge
by the outsourcer.
! The integration of IT audit activities
with operational, financial, and
compliance audits may be difficult.

! Eliminates the costs associated with

recruiting, hiring, and training IT auditors.
! Potential elimination of the costs of
office space, facilities, and support if
the outsourced auditors are not housed
on-site.
! Reduces travel costs, assuming the outsourcer has offices nationally or internationally.
! Results in increased staff productivity
by adopting the contractors engagement management structure.
!Increases independence and objectivity.

IT A

U D I T

T A F F I N G

L T E R N A T I V E S

Summary
There is no right or wrong alternative for IT audit staffing. The decision to use a particular alternative will inevitably be a fluid one. Internal audit will need to adopt a staffing
strategy that meets its current needs. The decision to change the staffing strategy will
be driven by the availability of appropriately trained IT auditors, internal audits ability
to recruit and retain IT auditors, inability to provide the required IT risk coverage, the
ability of another alternative to achieve the same risk coverage at a lower cost, budget
availability, or a changing IT risk profile.

E R N S T & YO U N G

2002 Ernst & Young

All Rights Reserved.
Ernst & Young is
a registered trademark.
SCORE Retrieval File
No. XX0000

www.ey.com