TOPIC: Position Description for Entry-Level Performance Auditor with IT EmphasisOFFICE: Auditor STATE: WA DATE: 05/31/2017 QUESTION / ISSUE: The Washington State Auditor’s office seeks to develop an entry-level performance audit position with an IT emphasis specifically to support our cyber security performance audits. To help us develop a position description and associated recruitment, we welcome any input in the form of position descriptions or recruitments you’ve used for similar or even related positions.

State CommentsKansas Here is our position description. Note that under “Experience” it says, “The IT

Auditor position is the entry level position for the IT audit team. Staff considering this track should have been promoted to at least Auditor as a performance auditor.” In other words, the new IT Auditor is new to the IT function, but not to the agency.

F01.03.03 IT Auditor

FunctionAn IT Auditor conducts information technology audits of government agencies in accordance with the division's policies and procedures. An IT Auditor is expected to have mastered basic audit competencies. An IT Auditor should have an understanding of IT security requirements and best practices. As part of the team, an IT Auditor conducts interviews, carries out various assessments or tests of policies and practices, and makes observations and reviews documentation to analyze and interpret potential non-compliance issues. An IT Auditor works under the general supervision and direction of a designated IT audit supervisor and the division’s IT Audit Manager. In addition, an IT Auditor assists with the division’s continuous IT project monitoring function. Lastly, in addition to their audit responsibilities, an IT Auditor may perform other non-IT audit tasks at the direction of the Legislative Post Auditor.

Reporting and Supervision

ReportingGenerally reports directly to a designated IT audit supervisor as well as the division’s IT Audit Manager.

Supervisory ResponsibilitiesNone

Core Competencies and ResponsibilitiesCritical Thinking1. Remains persistently inquisitive, skeptical, and probing in evaluating the

auditee. 2. Identifies where the agency has failed to address important security issues and

develops appropriate problem findings and causes.

Audit Skills1. Demonstrates a working knowledge of IT security standards and best practices

specified by ITEC. 2. Uses software tools with moderate assistance to identify security vulnerabilities. 3. Recognizes when potential software applications could be used to address

audit objectives and initiates proposals for new or more sophisticated tests. 4. Identifies and assesses the reliability of evidence to support problem findings,

including logical and sufficient sampling and testing work to support findings.

Writing Skills1. Contributes to synthesizing problem findings, assigning risk rankings, and

Position Description for Entry-Level Performance Auditor with IT Emphasis 1

State Commentsdeveloping appropriate root level causes for non-compliance issues.

2. Compiles draft reports with little or no help and ensures draft reports are complete, accurate, and follow the division’s policies and procedures.

Interpersonal Skills, Work Habits, and Leadership1. Produces accurate, logical and organized workpapers that conform to the

division’s policies on a timely basis. 2. Makes meaningful contributions to the audit team throughout the audit,

including volunteering or assisting others when the opportunity arises.3. Works actively to foster a challenging, creative, and cooperative team

environment. 4. Demonstrates an ongoing commitment to the IT security audit profession.

Minimum QualificationsExperienceThe IT Auditor position is the entry level position for the IT audit team. Staff considering this track should have been promoted to at least Auditor as a performance auditor and have demonstrated an interest and basic understanding of IT security concepts. However, specific IT security experience is not required.

EducationA bachelor’s degree is required; a master's degree or a significant amount of graduate-level coursework is preferred.

Certifications1. None are needed to become an IT auditor. 2. Within one year of appointment, an IT Auditor must earn the state’s Project

Management Methodology (PMM) certification.3. Within two years of appointment, an IT Auditor must sit for the Certified

Information Systems Auditor (CISA) exam.

* Because filling these technical positions can be difficult, any of these requirements may be waived at the Post Auditor’s discretion.

Montana Attached are few documents to help with your position description/recruitment. The first one is our position description for IS auditors. The description was written for a more generalist type IS auditor, while it appears that your office is focusing specifically on cyber security. That being said, there may be some pieces that you find useful. The next two documents are the documents we use during our recruiting efforts. These documents are also more general in nature since we have not had good luck hiring technical experts. They tend to leave our office to work for the State IT Department or for the executive branch agencies. Therefore, we recruit for individuals that have some IT experience/background and are strong analytical thinkers. The best way we are able to measure applicants’ abilities to do the work is through our in-house interview process. During the in-house interview, the applicant must complete a case-study which requires them to work through general IT audit issues. If you would like more information on this case study, don’t hesitate to contact me via email or phone. Good luck and let me know if you need any additional information/details.

Position Description for Entry-Level Performance Auditor with IT Emphasis 2

State Comments

New York Below you will find a description of the duties and knowledge, skills and abilities that we look for in our IT auditor positions at the NYS Comptroller's Office's Division of State Government Accountability.

Performs audits and reviews of information systems and technology in accordance with applicable auditing standards; analyzes and evaluates the adequacy, effectiveness, security, integrity and efficiency of information systems and technology; analyzes and evaluates internal controls, performs external and internal vulnerability assessments of State agencies using appropriate security testing tools and techniques; performs general and application controls audits of various computer systems throughout New York State, including operational practices and system development activities; researches laws, regulations, policies, procedures and systems documentation to achieve audit objectives; and provides support to other audit teams using advanced testing techniques to fulfill audit objectives.

Provides support as needed with the administration and maintenance of the hardware and networking of the IT Security Facility, as well as supporting any testing assessment software used during audit engagements.

Assesses program risks to plan potential audits, works on special projects or audit research, and researches and tests new techniques, exploits and tools to be used during audits and testing those in the IT Security Facility.

Knowledge, Skills, and Abilities:

Knowledge of computer networking, client-server programming, database management systems and information security.

Knowledge of programming languages. Experience with user access, IDS/IPS, and technical writing (1-3 years) Experience with software that provides web content security and vulnerability

assessments. (1-3 years) Experience with various operating systems such as Unix/Linus and Windows.

(1-3 years) Experience with active directory, IP protocols and security products. (1-3 years) Good communication skills.

North Carolina Attached are two vacancy announcements and three job descriptions for your review.

Position Description for Entry-Level Performance Auditor with IT Emphasis 3