Brs Risk Galaxy It Ias

IT RI S K MA NAG E M E N T A N DAS S U R A N C E SO L U T I O N S

IT Audit StaffingAlternatives

!@#

IT AU D I T STA F F I N G AL E T NAT I V E S

Table of ContentsIntroduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1

Recruiting and Training IT Auditors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2

Co-source the IT Audit Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

Outsource the IT Audit Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9

Proprietary and ConfidentialThis discussion paper contains information that Ernst &Young considers to be confidential, trade secret and proprietary in nature. This discussionpaper is intended for free distribution to our clients. No part of this discussion paper may be copied, reproduced or published in any manner without the express written consent ofErnst & Young.

SE RV I C E LI N E

Introduction

In the past 10 years, computers have evolved from tools that crunch numbers and storelarge amounts of data to tools that connect people to each other across distance andtime. The emergence of the Internet as a channel to an organizations customers andbusiness partners has created more complex companies. Customers and suppliers notonly share money, goods, and services, but information at the point of purchase.Increased connectivity puts the power of information in the customers hands, and theirability to self-organize-to communicate with each other-is changing the rules of busi-ness. The boundaries separating the inside and outside of organization are blurring.

A fundamental responsibility of internal audit is giving management objective assur-ance of an organizations activities. There is an increasing demand from managementand audit committees of the board for assurance that systems and networks functionproperly, are adequately and efficiently protected from harm and disruption, and willcontinue to possess those attributes. Internal audit is also being asked by InformationTechnology (IT) management to provide objective advice on how controls can bedesigned into technology and systems in order to add value and improve an organiza-tions operations.

The investments required to build and maintain an effective IT audit function to providethis assurance and consulting activity is growing exponentially. Insight from the inter-nal audit marketplace indicates that most companies have not invested in the requiredIT audit resources to adequately cover the IT risks. Internal audit departments, there-fore, are often unable to meet their governance responsibilities with respect to the orga-nizations use of information technology and systems. The lack of qualified IT auditorsis the main cause.

The three staffing strategies that can be adopted by internal audit to address the lack ofqualified IT auditors are:

1. Recruiting and training IT auditors.

2. Co-source the IT audit function to address specific skill deficiencies or staff absences.

3. Outsource the IT audit function.

The advantages and disadvantages of each of these IT audit-staffing alternatives arepresented in this discussion paper.

2 I T A U D I T S T A F F I N G A L T E R N A T I V E S

Recruiting and Training ITAuditorsRecruiting and training IT auditors has been the traditional strategy adopted by mostinternal audit functions. Three sources of staff can be considered for IT audit positions:current internal auditors who have some or no knowledge of IT matters, IT staff withsome or no knowledge of IT audit and control skills, or experienced IT auditors fromoutside of the organization. The decision to use a current internal audit staff or hire ITstaff or experienced IT auditors will be driven by supply and demand issues.

If the decision is made to use existing internal audit staff to meet the IT audit require-ment, then the auditors selected to perform IT audits will need to understand the con-trol risks associated with information technology and application systems and be ableto function within a technical environment. This means the auditor must first under-stand the concepts of information systems and the control and security risks in the ITenvironment. Internal auditors new to IT auditing should begin by learning the neces-sary controls for application systems. Such auditors need to be able to pinpoint spe-cific IT related controls when auditing currently installed systems or new systemsunder development. Once they have achieved a level of proficiency with applicationcontrols, they should then develop a fundamental understanding of the various activi-ties within the information systems department. By obtaining a fundamental under-standing of general control issues they can then participate on audits that addressintegrity, efficiency, and effectiveness of information systems resources, whether theyare mainframe or client/server. When auditors have achieved this basic level of under-standing of IT controls and security, they would then undertake more specializedcourses. Audit staff that take more advanced training should be encouraged to join theInformation System Audit & Control Association (ISACA) as well as study for andwrite the Certified Information System Auditor (CISA) exam. At the conclusion of athree-year period of training and work experience, the organization will have an ITauditor with a reasonably rounded skill set, capable of performing most IT auditswithin the organization.

Recruiting an IT staff member into internal audit can provide great benefits to internalaudit as such individuals have deep technical skills and often have a good knowledge ofthe systems and technology in use within the organization. For some time, IT staff havebeen in great demand. Consequently, their salary rates are normally higher than thoseof other internal audit staff with the same levels of experience and educational qualifi-cations. This makes the initial recruitment of such staff difficult. It is also unlikely thatsuch individuals will want to stay in internal audit for more than three years, as theywill be concerned with losing their technical capabilities. IT staff will need to receiveIT audit and control skills training and they need to gain a basic understanding of inter-nal auditing. Undertaking the Certified Internal Auditor (CIA) curriculum will provideindividuals with the required skill set, but will take 12 to 18 months. Until such time,additional supervision and guidance is required of such staff.

3Many organizations cannot afford to take the time that is required to develop existingIT or internal audit staffs skill sets; or they do not have the supervisory skills to pro-vide the learning environment needed to develop IT audit skills. For this reason, hiringan individual already trained in IT audit is the only alternative. Such individuals can berecruited from large companies and Big Five audit firms who have regular programs todevelop IT audit skill sets. The current demand and supply of experienced IT auditorsmeans that normal internal audit salary ranges are often not sufficient to attract ITauditors. It may also take many months to fill a position, as there is not a large pool ofskilled IT auditors from which to recruit. If an organization is able to successfullyrecruit experienced IT auditors, there is no guarantee that they will retain the skill setfor a long period of time. This is because of the demand in the market place for thisskill set, not only for internal audit, but also for information security positions withininformation system departments.

A summary of the advantages and disadvantages of maintaining the IT function in-house are:

Advantages Disadvantages! Can develop skill sets of internal

staff that will allow them to be a more valuable asset to the organization.

! Can integrate IT audit into operational, compliance, and financial audits with greater ease.

! May take 12 to 36 months to provide staff with the necessary level of training to become an effective IT auditors, depending on which staffing alternative is selected.

! Difficult to maintain continuitybeyond a 2-3 year period.

! Specialized audit skills are difficult to staff; once skills have been developed, they may be used infrequently.

! Smaller internal audit groups may not be able to keep IT auditors sufficientlychallenged; they may be diverted to perform other internal audit work.

! Independence and objectivity can be an issue if part-time staff are used to staff IT audit positions, or, where company staff are hired and they auditthe area in which they used to work.

! Investment in training, methodology,and technology is costly.


Co-source the ITAudit FunctionMany internal audit departments will supplement their existing IT auditor(s) with assis-tance sourced from external companies which specialize in providing staff with IT auditskills. This strategy, sometimes called teaming, is used to either supplement existingskills because of staff shortages or to bring in a skill set for a temporary period of timethat is required to perform the IT audit in an efficient and effective manner.

The decision to obtain external IT skilled individuals is normally based on the follow-ing criteria:

! An IT audit requires knowledge that goes well beyond the current skill set of existing IT auditors.

! No external training courses and/or third party audit program/guide is readily available that would assist an in-house IT auditor with the knowledge required toperform the IT audit.

! The IT audit would benefit from the use of tools; however, the tools are not available at a reasonable cost or internal audit does not wish to invest in the trainingnecessary to use the tools proficiently.

! The knowledge required to perform the IT audit cannot be reused on other IT audits.There is no long-term value to internal audit for the investment they would have tomake in training, third party audit programs/guides, and/or tools.

! There is a staff vacancy as a result of maternity leave, leave of absence, or unexpected termination.

There are two co-sourcing strategies:! Contracting individualsContract individuals for a fixed period of time, normally

related to the internal audit project duration. Such individuals usually work underthe control of the IT audit project manager and perform work that in-house IT audi-tors are unable to perform. Contracting such individuals is normally done on a dailyrate basis. In addition, there are restrictions in the way contract internal auditors canbe deployed and used in order to avoid the appearance of an employee/employerrelationship. This is an important consideration when hiring self-employed, privatecontractors.

! Project-by-project co-sourcingContract a firm to conduct an entire IT audit.Different from contracting for an individual, the outsourcer is given authority to per-form the entire IT audit with their staff, subject to any methodology and deliveryconsiderations built into the contract. Project-by-project co-sourcing is normallydone on a fixed fee arrangement.

If internal audit intends to use co-sourcing frequently, as a means of deal with skill andstaff shortages, then an overall strategy should be developed on how contracted serviceswill be acquired. If internal audit relies on a RFP process for each audit it co-sources,significant time will be spent in selecting the contractor and the marketing timeincurred by the contractor will ultimately be reflected in the pricing of the work pro-posed by the contractor. Cost savings can be achieved by pre-selecting contractors well

5in advance of the work and providing some prediction of the overall demand for services.In addition, if multiple contractors are used, internal audit will need to address how theywill deal with:! The learning curve that will exist to bring each contractor up to speed on the

business issues, systems architecture, and risks

! The inconsistencies that will manifest themselves in the IT audit approach and deliverables

Project-by-project co-sourcing works and looks very similar to outsourcing. The differ-ence is that the contractor has no responsibility for determining which IT audit projectswill be performed and the initial objectives and scope of any of the IT audits is deter-mined by internal audit. This, therefore, means that an IT risk skill set needs to beretained by internal audit. Alternatively, the determination of IT risks can be contractedout as a specific assignment. If internal audit intends to co-source all or most of its ITaudit work, then full outsourcing should be considered, as it should result in overall savings to internal audit.

A summary of the advantages and disadvantages of co-sourcing are:

! Can provide new and different insights into audit issues.

! The contractor is normally obligated to ensurethat all contracted positions remain filled.

! Must maintain IT audit resources to perform the routine audits. Auditors assigned to these audits may react negatively to specialized (i.e., interesting) audit areas being given to hired guns.

! More costly than full outsourcing on a per person basis because every project requires a selection process. The outsourcers selling and downtime costs are built into the individual project fees.

! The company retains the costs and problems of recruiting and training all remaining full-time internal auditors.

! Full-time staff may become dissatisfied when contract staff are managed in accordance with different human resource practices, including compensation, hours of work, and training opportunities.

! Typically, contractors are not obligated to invest the time to develop a detailed understanding of the company and its culture. Their job is to do the assigned task and leave the company for yet another assignment elsewhere.

! Specialized IT audit staff can beobtained on an as-needed basis.

! Access to the contractorsresources, including industryleading practices, methodology,technology, tools, and knowledge.

! Knowledge transfer between thecontract IT audit staff and in-house internal audit staff.

! Audit work will be done effi-ciently. This is because the workscope and objectives are usuallywell defined. In project-by-pro-ject outsourcing the contractor isnormally held to a fixed fee. Thecontractor will also be motivated to exceed deadline expectations to foster future con-tract considerations.

Advantages Disadvantages


Outsource the ITAudit FunctionBy outsourcing the IT audit function, the outsourcing contractor will assume theresponsibility for fulfilling the IT audit mandate on behalf of internal audit. This doesnot mean that internal audit has outsourced their accountability for the performance ofIT audit, just the responsibility.

Internal audit will normally consider outsourcing its IT audit function for one or moreof the following reasons:

! Challenges associated with staffing and retention of IT auditors as well as trainingand supervision

! IT risks are influx because of changes in the IT infrastructure and systems and it is difficult to maintain the skills necessary to deal with both the legacy and the new systems

! IT risks in the organizations can not justify a full-time IT auditor or only one ITauditor is justified and the organization can not afford the cost of back-up staff inthe event of a maternity leave or a short-term disability

Outside organizations specialized in outsourced IT audits can meet these challengesbecause their human resource policies are attuned to the needs of specialized IT auditstaff and they are regularly recruiting and training such staff. Very experienced ITauditors are attracted to join such organizations because of the diverse client base,training that is offered, the ability to confer with staff with similar skill sets, and thesoftware tools and research databases that such firms can offer.

If no existing IT audit capability currently exists, outsourcing IT audit is relativelyeasy. If IT audit staff are currently in place, this becomes a key consideration inapproaching the question of outsourcing IT audit. It is very important that existing ITstaff be treated fairly and in a dignified manner. The transition plan for dealing withthe existing staff is therefore a critical issue as is communication to these staff leadingup to the decision to outsource and subsequent to making the decision.

The outsourcing transition plan should provide for the following:! The involvement of human resources staff of both parties. By involving human

resources, they can manage the transition of staff from one organization to the otherbecause they are familiar with the people issues, compensation plans, benefits, aswell as the laws and regulations.

! IT staff members should be given the opportunity to interview for a position in theoutsourcing services practice. Appropriate severance arrangements should be inplace to deal with staff that choose not to join the outsourcer or who are not givenoffers by the outsourcer.

! The salary and benefits offered by the outsourcer must be competitive with the current market.

7! There must be expanded career opportunities for the current IT staff within the outsourcer. In this way, existing IT auditors will see the outsourcing as an opportunity for career development.

! Existing staff should have access to mentors and peers during the transition process to ensure that the stress of any changes in their jobs are dealt with as well as possible.

In addition to any staffing issues, there are several other important issues that need tobe addressed during the contracting phase:

! How organization knowledge will be retained as the outsourcer rotates staff. Theoutsourcer needs to address how it will retain key organization information as staffchanges. One way this can be addressed is through a project leader who is responsi-ble for relationship management with internal audit, the IT organization as well as allother business units. Maintaining key client and process documentation in a centraldatabase will serve as a resource for new staff and reduce the learning curve. Inaddition, staff members that are rotated to other client assignment for their own per-sonal growth are not lost from the outsourcers organization and are available forconsultations on specific, historical issues.

! How much control internal audit will retain over the IT audit function. Internalaudit should ensure that they are involved in the IT audit work in order to preventlosing contact with the IT organization. Attending IT audit-planning meetings,reviewing all reports before they are issued, and attending audit exit meetings canaccomplish this.

! Extent to which existing internal audit methodology, including work paper contentand audit report formats, will be used by the contractor. The more control internalaudit retains, the higher the cost as the outsourcers staff will have their ownapproach and report formats that they are trained to use.

! The ownership and storage location of the work papers. Professional practice rulesof the outsourcer may require that they retain a copy or have access to the workingpaper storage area used by internal audit. Working paper retention policies may alsohave to be reviewed and altered to meet the requirements of both parties.

! The office space and technology needs of IT auditors. Cost savings can be realizedby having the outsourced IT audit staff work out of the contractors offices or requirethem to supply their own computers, printers, and office supplies. Any IT needs sup-plied by the contractor would need to ensure compatibility with existing organizationsystems, as the IT auditors will need access to these systems including internal emailaccounts and voice mail systems.

! Independence of the Outsourcer. The outsourcer may serve several clients, whichhave a similar business or share the same customers. This can be a key benefit inoutsourcing because the outsourcer has good industry knowledge; however, the out-sourcer will need to address how it will maintain the confidentiality of information,particularly competitive information. If the outsourcer is also the external auditor,there may be issues that internal audit wishes to maintain internal to the organizationuntil the appropriate time. The outsourcer would need to address how it will maintainthe separation between external and internal audit responsibilities.


Not all issues can be anticipated in the outsourcing contract and new issues will arise.As outsourcing is a form of partnership, an outsourcing management board composedof internal audit and outsourcer management staff should be put in place to co-developthe protocols for the transition and co-ordinate and resolve issues that arise after theoutsourcing contract has been signed. Although an outsourcing contract will have legalremedies to deal with disputes, the advantages of the outsourcing relationship will belost if they need to be invoked; therefore, the outsourcing management board should beempowered by the outsourcing contract to interpret the outsourcing contract anddevelop an appropriate solution that is suitable to all parties.

A summary of the advantages and disadvantages of outsourcing include:

Advantages Disadvantages! IT audit is no longer a potential

training ground for internal staff.

! Perceived loss of control over animportant risk management func-tion.

! Retention of corporate knowledgeby the outsourcer.

! The integration of IT audit activitieswith operational, financial, andcompliance audits may be difficult.

! Leverages the outsourcers resources,including methodology, technology,tools, and knowledge.

! Increases the access to a larger pool ofexperienced IT audit staff, including ITsecurity specialists.

! Achieves efficient IT audits because ofthe large pool of experienced internalauditors that can be used on an audit,audit management methodology opti-mized to reduce audit time, and theprofit motivation of the outsourcer.

! Eliminates the costs associated withrecruiting, hiring, and training IT audi-tors.

! Potential elimination of the costs ofoffice space, facilities, and support ifthe outsourced auditors are not housedon-site.

! Reduces travel costs, assuming the out-sourcer has offices nationally or inter-nationally.

! Results in increased staff productivityby adopting the contractors engage-ment management structure.

!Increases independence and objectivity.

9SummaryThere is no right or wrong alternative for IT audit staffing. The decision to use a partic-ular alternative will inevitably be a fluid one. Internal audit will need to adopt a staffingstrategy that meets its current needs. The decision to change the staffing strategy willbe driven by the availability of appropriately trained IT auditors, internal audits abilityto recruit and retain IT auditors, inability to provide the required IT risk coverage, theability of another alternative to achieve the same risk coverage at a lower cost, budgetavailability, or a changing IT risk profile.

Brs Risk Galaxy It Ias

Documents

Transcript of Brs Risk Galaxy It Ias