Align language
Both IT and internal audit teams have their own languages and terms, which can create barriers to understanding when the two groups work together. Often, auditors who have a technical understanding of IT basics of IT can help reduce confusion.
Here are some examples of how teams may use different terms to refer to the same idea.

Increase communication
Audit and IT teams frequently compete for the same budget and funding resources using different control frameworks, which means divisions occur naturally, and basic attitudes between each team can be vastly different.
For example, compliance for an IT team is considered a baseline security standard, whereas internal audit teams see it as one of several factors to consider when it comes to security. Cyberthreats often move faster than compliance standards can be written or adjusted to deal with these security issues.
Internal audit teams are often further from an issue in terms of process and time. IT establishes their security standards, and the results needed to be audited and examined after a period of time to search for gaps or breakdowns.
Any issues identified by the internal audit will then be remediated. Internal audit teams could have a broader, more holistic view of the organization that allows them to assist with more cross-functional solutions.
However, in that same time period, other cyberthreats could occur and change; IT needs to respond immediately to address any risk. That’s why it’s important for IT to communicate issues with other teams in a timely manner, so they have the appropriate budget to address solutions.
Due to the independence and objectivity requirements placed on internal audit teams, it can often seem like their role is to police security, although it’s really to improve overall security. Taking these differences into account can help smooth friction between the two teams as they work toward achieving shared goals.
Other ways to improve collaboration include:
- Communicate the importance of audit efficiency to improve the audit and cybersecurity experience
- Prepare and provide the list of reports or system reviews needed ahead of the audit
- Solicit IT leadership’s feedback on high-risk target approaches
- Use audit findings to help drive remediation projects and increase budgets for security
- Create cross-functional committees or communities to foster better communication practices
Share and understand data goals
The ultimate goal is the confidentiality, integrity, and availability of sensitive data. This includes:
- Protecting tangible and intangible assets
- Reducing the possibility of fraud
- Knowing the types and location of data within the enterprise, such as personally identifiable information (PII)
- Creating a systematic approach to improve the effectiveness of risk management, control, and government processes
- Understanding all frameworks used across all areas of compliance, such as COSO or Cobit 5, as well as the framework used by the IT team to assess security, such as NIST 800-53 or 800-171, ISO 27001, or HITRUST CSF
Through increased and transparent collaboration, IT and internal audit teams work toward improving the security and functionality of their organization.
They can design an audit that will allow for the greatest amount of collaboration, so they’re able to prevent, spot, and address cyberthreats as quickly as possible.