• Although many potential benefits accrue to organizations that establish effective
internal IT audit capabilities, not all organizations have sufficient resources available to dedicate staff to auditing, or to do so in a way that covers all the areas within an organization that need auditing. • Aside from the resource costs associated with internal IT auditing, other challenges include the significant skills and expertise needed by internal auditors and the perceived or actual lack of independence for internal audit activities, particularly in smaller organizations. • The range of operational processes, technical components, and internal controls potentially subject to IT auditing is varied enough in many organizations, that it is unreasonable to expect that individual auditors would have sufficient breadth of knowledge and skills to address all of them. Even with detailed audit protocols in place, organizations often need to enlist the services of multiple auditors (possibly including outside contractors) to cover the scope of IT audits it wants to perform. Internal IT auditing performed by employees of the organization also raises potential questions regarding auditor independence and objectivity. Internal auditors Internal IT auditors often have substantial prior work in information technology, whether their experience includes broad IT knowledge spanning multiple domains or more specialized areas of expertise. It is certainly possible to begin in finance, accounting, or other business domains associated with conventional auditing and move towards a specialization in IT. IT-specific knowledge is required, however, to understand IT audit criteria and being able to compare them to the implementation, configuration, and operations and maintenance details of IT systems and technologies. Additional IT skills may be required to correctly run test procedures or apply examination methodologies used in different types of IT auditing. Common subject matter topics with which internal IT auditors should be familiar include: • Business domains and associated processes supported by IT systems. • Data governance, data management processes, data backup and restoration, and storage technologies. • IT policies and procedures. • Operations and maintenance processes. • Systems development life cycle process and activities. • Application, systems, and security. • Computer operating systems. • IT governance and risk management processes and frameworks. • Internal control types and applicability. • IT process management or security management models; and IT-related standards and certification criteria. Summary This chapter focused on internal IT auditing, contrasting it with external auditing (the subject of the next chapter) and describing the structural and operational features of internal audit programs that include IT audits within their scope. It highlighted the purpose, objectives, and rationale for establishing and maintaining internal auditing capabilities and described some of the potential benefits organizations expect to realize from effectively managed internal audit programs. The material in this chapter explains the typical positioning of the internal audit function within the organization structure and its relation to governance bodies such as corporate boards of directors. It also described some of the characteristics of internal auditors and the relevant skills and experience auditors need to do their jobs effectively.