Article | TREND NO. 1
How to build an effective IT audit team during a time of skilled resourcing shortages
Jan 25, 2023 · Authored by Madhu Maganti, Mike Cullen, Jim Kearney, Meghan Senseney
Facing competition for experienced staff in an already tight skilled labor market, organizations across the world are fighting to strengthen their team’s risk management abilities. In this environment, individuals with the right technical certifications, relevant experience or soft skills may be difficult to find, and even harder to retain. In fact, the 2022 (ISC)² Cybersecurity Workforce Study shows that 43% of respondents are unable to find enough qualified talent to meet their goals, and 33% of respondents are struggling to keep up with employee attrition.
What to look for when staffing your IT audit team
Equally important as attracting skilled labor is attracting the proper skilled labor. Employees responsible for an organization’s risk management function should have a balanced mix between technical certifications (e.g., CISSP, CCNP Enterprise) and risk-oriented certifications (e.g., CISA, CISM, CIA, CPA) to provide insight into risks from both cybersecurity depth and enterprise risk perspectives. This technical mix should be balanced with a strong set of soft skills and good cultural fit with the team.
To further supplement these skilled team members, finding existing employees with the right aptitude for risk management may allow for a better connected and more knowledgeable workforce. In forming an IT audit team, for example, some of the best candidates may sit within security operations, IT administration, infrastructure or other teams within the organization’s Three Lines.
Even after building a skilled team, it’s vital to define an effective reporting structure – leadership skills are a must! To ensure that skilled labor is used to its full potential, it’s necessary that all supervisors and managers are made aware of their responsibilities to those who report to them, and that they understand how to communicate information up and down. Hiring a technical employee with no managerial experience into a leadership role may harm team morale and result in increased turnover or dissatisfaction.
Co-sourcing/outsourcing opportunities that bring the right talent
While some organizations may choose to keep most risk management activities in-house, others may prefer to co-source portions of the team, or outsource. Co-sourcing and outsourcing skilled labor may provide more access to an agile, responsive talent pool with more diverse backgrounds, and typically more experience than can be easily found on the open job market. This talent option can be pursued as a means of either augmenting staff abilities or supplementing them. These tasks are often performed on an engagement-by-engagement basis, and may provide more flexibility than hiring a team of full-time employees would in the long term.
Chief audit executive in the financial industryCo-sourcing relationships enable organizations to address talent gaps and enhance their ability to execute on technically complex audit programs. Additionally, external providers can help expand on risk assessment maturity.
Keeping skills sharp
If an organization is able to successfully attract and retain an appropriately staffed IT audit or risk management team, it must still address the ongoing challenge of developing and amplifying that talent. It is critical to balance efficient and effective training programs with timely and impactful on-the-job coaching. Organizations should leverage training content from their existing support channels, whether that be external audit, H, or knowledgeable third-party service providers. When enhancing your IT audit or risk team, be thoughtful about whether your existing resources are better suited in teaching ‘how to audit’ versus teaching technical topics that may provide more valuable assessments within the organization. This determination will inform how to hire and upskill your team.
More important than training around operational responsibilities, there has been a generational shift in value gained from leadership coaching. Leading a team based on core values of empathy, purpose and belonging enhances the sense of community within teams. Providing employees with mentorship programs, ongoing training and education, upwards mobility and increased flexibility will help hone their skills and increase the effectiveness of their work. Putting soft-skills at the forefront of leadership is critical to establishing high performing teams and retaining exceptional talent.
Higher ed spotlight
Skilled IT audit resources are especially difficult to recruit and retain in higher education. Three factors contribute to this challenge:
- Often, higher education IT audit salaries are not competitive with other industries, such as financial services. This, combined with more fully remote jobs available, makes switching organizations less costly for auditors and makes attracting and retaining IT auditors more difficult for higher education institutions.
- IT auditors are being recruited into cybersecurity roles since they have the requisite knowledge of cyber risks, control frameworks and compliance requirements, making them attractive candidates. This also provides IT auditors an alternative career path with additional growth and advancement opportunities.
- IT auditing in higher education is difficult due to the myriad knowledge, skills and abilities required, diversity among constituent groups and assortment of compliance needs to address laws/regulations.
Given these challenges, higher education chief audit executives (CAEs) and directors of internal audit need to think differently to address the need for skilled IT auditors, while balancing the need to complete the growing number of IT audit projects they have identified in their risk assessments without commensurate talent to execute projects. Baker Tilly has worked with higher education institutions of all types and sizes to develop and execute flexible approaches to meet the institution’s IT audit activity needs. These approaches typically follow three basic models:
Model No. 1: Teaming
Baker Tilly provides subject matter guidance throughout the audit cycle and jointly conducts IT audit activities with the institution’s existing team and/or other individuals with interests in IT.
Model No. 2: Project
Baker Tilly collaborates with the institution to develop a specific project scope for a distinct IT audit project. Then, our team executes the entire project from start to finish. The institution’s personnel can participate in the project as they wish.
Model No. 3: Annual plan
Baker Tilly collaborates with institutional leadership to develop a plan for IT audits each year. For higher education organizations, we typically execute two or more projects each year, handling all project planning, execution and reporting.
Since each institution is unique, our specialized team can tailor any of these models to build a custom IT audit solution for the institution’s needs, resources or budget. This includes the ability to do both traditional audit assurance projects, which typically evaluate mature and/or critical processes and technologies for adequate risk management and compliance, to more elastic audit advisory projects, which are consultative to identify improvements in risk management activities for immature, newer or changing processes and technologies.
Higher education case study
Baker Tilly recently engaged with a university that has seen high turnover of its IT audit staff and an inability to recruit new talent given their competitive geographic location and low salary caps. With only one full-time IT auditor left on the team, the CAE asked Baker Tilly for help.
Through collaborative discussions with the CAE, the team developed a custom solution that accomplished the following:
- Triaged all in-progress IT audit projects and determined where Baker Tilly would assist with project execution and deliverable review to finish the work
- Developed a shared responsibilities matrix to prescribe the specific roles for internal audit staff and Baker Tilly staff on each project to avoid any duplicate efforts or delays in conducting activities
- Recommended, then executed, an IT risk assessment for future internal audit planning and alignment of IT audit efforts with the university’s strategic IT goals and projects, resulting in a prioritized IT audit project plan
- For each IT audit project on the plan, the CAE and Baker Tilly structured different teams of combined personnel to execute the various projects throughout the audit year
Time to take action
Process for building a high-performing IT audit team:
Step 1: Develop a mission and purpose collectively as a team and align on a set of behaviors, which will be critical to mission and purpose realization.
Step 2: Execute a risk assessment to inform generation of an internal audit plan.
Step 3: Assess the current state of the team (competencies and capacity).
Note: It is important to do this AFTER establishing a risk assessment and internal audit plan. Many organizations build a plan based on their team capabilities, when emphasis should be placed on the biggest risks to the organization.
Step 4: Address talent or capability gaps through the methods mentioned in this article.
Step 5: Enable leadership through coaching and continuous communication to disseminate the team's mission and purpose in an effective manner.
Other articles in this series
Related sections
- Financial Services
- Government Contractors
- Higher Education
- Healthcare & Life Sciences
- Not-for-Profit
- Technology
- Risk Advisory
- Asset Management
- Banking & Capital Markets
- Behavioral Health
- Community Banks
- Credit Unions
- Consumer Lending
- Hospitals & Health Systems
- Insurance
- Insurtech
- Life Sciences
- Senior Services
- Cybersecurity
- IT Audit Solutions