Manage Learn to apply best practices and optimize your operations.

Best practices for choosing an outside IT auditor

Learn six points for choosing the right outside auditor.

It's good to be an IT auditor these days. For starters, there's a growing -- if not complete -- business dependence...

on IT. What's more, government legislation, such as Sarbanes-Oxley, HIPAA and Gramm-Leach-Bliley is forcing companies to scrutinize their IT operations. Odds are that most enterprises will have to work with an outside auditor in the near future.

Whether it's for ISO/IEC 17799, SAS70, or regulatory compliance, there are six key points to keep in mind when selecting an IT auditor.

1. Don't dismiss non-technical background candidates
I know some great IT auditors who can't explain the difference between a firewall and a fire hydrant. Is this someone you want pointing out weaknesses in your information systems? Your initial thought may be a resounding "no!" But don't fret: With a few exceptions, auditors aren't highly technical. Most are business-focused, and that's not a bad thing. A business-focused auditor will be able to point out IT issues that can impact your business goals and bottom line. For instance, he could point out IT inefficiencies and demonstrate how your organization can leverage IT to enhance product innovation and increase customer retention while, at the same time, improve internal business processes and lower overall operational costs.

While technical experience -- or the lack there of -- shouldn't make or break your hiring decision, if you find an IT auditor who also understands technology (the ins and outs of networks, operating systems and applications) the better off you may be. A technical- and business-focused auditor will point out high-level business or "checklist" issues as well as explain the technical reasons why a certain system isn't up to snuff.

2. Look for certifications
Most professional IT auditors, especially self-employed ones, are going to be certified. Look for the Certified Information Systems Auditor (CISA) credential by ISACA. The CISA is an internationally recognized certification, which compares to the CISSP certification for information security. In fact, there's a lot of CISAs who hold Certified Public Accountant, CISSP and other certifications, which are added perks, but like any certification, it won't guarantee you're going to get a quality person.


  • Read Shelley Bard's tips on how to tackle auditing.
  • Are you confused about Unix auditing? Read this tip to learn more.
  • Get some pointers how to understand Windows logs in the auditing process.

    3. Look for experience
    Anyone can be certified and know enough terminology to speak IT auditing-ease. Look for someone who asks relevant questions and listens more than they talk. These are signs of a true professional. But don't rely on words alone. Look at what your prospective IT auditor has done -- preferably for organizations in your industry. Check out the auditor's level of experience --an auditor in high demand will likely perform several audits a year, and focus solely on auditing. Ask about a track record for staying current in his or her area(s) of expertise. Check references too. A good auditor should have at least two or three outstanding testimonials from people who are willing to put their names on the line. And, call references (if possible), rather than e-mailing to ask about the auditor's attention to detail, etc. I've found that people tend to be more frank when talking live, but are typically nervous about how e-mail comments may be used against them.

    4. Look for strong communications skills
    You're likely going to be working closely with this person anywhere from a few days to several weeks depending on the size of your company and scope of the audit. There's a good chance that you, your team and the auditor will be dealing with some stressful and territorial issues. You want to find someone who's likely to be flexible and responsive to your needs. Look for someone who's a good communicator that speaks in your business language at your level. The auditor should be able to -- to a certain extent -- link issues found with specific processes and political or cultural issues within your company. Otherwise, your audit could be limited -- and serve as more of a generic checklist -- due to lack of communication and general knowledge transfer.

    5. Don't assume a brand name is always better
    If you work for a large public corporation, chances are that there's already a relationship established with one of the large accounting firms on the financial side of the house. Does this mean you should use them for IT auditing services as well? Some of you might have to for political reasons and I suppose others -- in the name of "shareholder value" -- simply don't mind paying a significant premium in exchange for the brand name seal of approval.

    If you choose one of the large accounting firms, realize that the people in the pre-sales meeting are not necessarily the ones who'll be doing the hands-on work. Find out who will be conducting the audit so you can review their credentials and experience. I've been on the receiving end of such services and have met some great folks at these firms. However, I can say with conviction that a higher price doesn't necessarily mean higher value, so do your homework. Ask yourself what you're really trying to accomplish and determine what you really need to get the auditing job done. The bottomline: skills and experience are more important than company name.

    6. Ask to see their work
    If you want to see what type of audit report you're going to get, ask to see some of your potential auditor's past work. To protect the guilty, encourage them to sanitize the report -- removing names, numbers, addresses, etc. before they give it to you. (If you get a report containing another organization's confidential information, look for another auditor. This is a telltale sign that they're not handling confidential information responsibly. Look for clear, concise documentation on what was audited and what was found, and for recommendations for improvement if that's part of the deliverables.

    Remember that IT auditors are there to point out if what you're doing doesn't match up to what you say you're doing via company policies, procedures, etc. They should know your industry and most importantly your business. Finally, an auditor should be able to list weaknesses in your IT processes from an unbiased perspective and from their audit experience -- not just from an auditing checklist.

    Selecting the best IT auditor to meet your needs means fewer worries about what the auditor is doing, which affords you more time to do something fun -- like scrambling to prepare for your next big audit.

    About the author
    Kevin Beaver is author of the new ethical hacking book Hacking For Dummies published by John Wiley and Sons, and serves as a regular columnist and expert advisor for and several other TechTarget sites. He can be reached at [email protected].

This was last published in September 2004

Dig Deeper on IT security audits and audit frameworks