Skip to content

Selecting IT Auditors or IT Consultants

Selecting IT Auditors or IT Consultants
by Jimmy Sawyers, BOL Guru

This is the first installment of a two-part article on "Selecting IT Auditors and IT Consultants" by Jimmy Sawyers, Director of Consulting at Reynolds, Bone & Griesbeck PLC in Memphis, Tennessee. The following excerpts appear in the book, IT Auditing for Financial Institutions, written by Jimmy Sawyers and published by Alex Information.

As IT audits have become more complex with the addition of network vulnerability assessments and other network security-related procedures, financial institutions are relying more heavily on outside assistance to complement internal expertise or to completely outsource the IT audit or selected IT projects. When selecting outside assistance, what are some of the considerations?

Qualifications
What qualifications make the best IT auditor or IT consultant? Here are 10 basic considerations:

  1. Experience (In Years and In Engagements of This Type)
  2. Reputation of Individual or Firm (Person of Integrity or Semi-Reformed Hacker?)
  3. Familiarity with the Financial Institution's Technology Environment (Will You Have To Train the Auditor or Consultant?)
  4. Quality of Deliverables (What Type of Report Will You Receive? No Report, One Page Fax or 100-Page Manifesto?)
  5. References (What Do Other Financial Institutions Say About This Person's Recent Work?)
  6. Certifications (CISSP, CISA, CPA, CIA, MCSE, CNE, etc.)
  7. Depth (One-Person Show or a Team Approach?)
  8. Network (Does the Auditor/Consultant Have Access to Industry Resources?)
  9. Independence and Objectivity (Does the auditor/consultant have any entangling alliances that will negatively influence the engagement such as receiving referral fees from vendors; and can the Auditor/Consultant Adapt to Your Institution's Unique Environment or Does He or She Take the "When You're a Hammer, Everything Looks Like a Nail" Approach)
  10. Customization (Will You Get "Boilerplate" Findings and Recommendations or Will the Auditor/Consultant Customize the Engagement to Your Environment and Make Recommendations That Are Practical, Realistic and Helpful?)

Do you need a consultant who understands your financial institution's technology environment or do you need a CPA who can understand the IT audit's impact on the financial institution's financial statements? Is certification important? Do you need a Certified Information Systems Security Professional (CISSP) to perform that network vulnerability assessment? There are no easy answers. You should interview the individual and determine his or her qualifications and compatibility for the job.

The second part of this article, "Interviewing Potential IT Auditor or IT Consultant Candidates," gives you 13 questions to ask potential IT auditors or IT consultants before you engage them.

First published on BankersOnline.com 3/22/04

First published on 03/22/2004

Filed under: 
Filed under technology as: 

Search Topics