1. You recruit your own IT auditor.
With this option, you hire, feed and water your own IT auditor. They will always be available for you and will have the time to understand your business and technology.
2. You outsource to a specialist firm to do your IT auditor.
This option means you choose a specialist firm – one of the big professional services firms, for example, to delivery your programme of IT audits. They choose a specialist team that will have the specific methods and/or skills you need to deliver your audit plan.
Pebl1, our sister company, introduces a third option:
3. You automate the completion of your IT audits.
This means you use a technology tool, like Pebl1, to automate the completion of your audits. Audit methodologies are baked into the system, and you’ll be asked for information and evidence through the year. Much of the analysis and reporting is automated, but there are still specialists in the background, reviewing evidence, checking the automated assessments and able to explain the reports and recommendations to you.
So, what are the benefits, and drawbacks, of each type. We boiled these into three areas, considering the implications on:
· Cost
· Specialist skills availability
· Audit quality
We standardised the work programme into the work that could be done by an in-house auditor – assessing this at six audits a year.
Our findings are below:
|
Recruit |
Outsource |
Automate with Pebl1 |
Cost |
Poor IT auditors aren’t cheap. Also, you need to invest in training to keep their skills current. We concluded an annual cost of £90k for a newly qualified IT auditor, staying for three years and one training course a year. |
Poor If IT auditors aren’t cheap to recruit, outsourcing is even more expensive. Six audits, assuming ten days for each and a day-rate of £1,500 per day, means this option would cost £90k too. |
Good £575 – £1175 per month, depending on the package you choose. We make the savings here by automating analysis and locking in reporting and methodologies. That’s slightly less than £15k each year. |
Specialist skills availability |
Poor This is the challenge with recruiting. You have one person, and they are unlikely to be expert in everything. |
Good The big firms have access to all sorts of specialist resources, regardless of technology or industry. This is a real strength of outsourcing. The drawback tends to be you don’t get the specialist doing the work in many cases. |
Good The specialist skills are locked into the methodologies, which are developed by specialists and tried and tested. The analysis behind your audit is validated and works well. The pool of auditors has a broad skills base, the same as outsourcing would, but they don’t spend as long on each audit. |
Audit quality |
Good Assuming you hire a qualified auditor, you know you’ll get an audit of a fair quality. However, review and QA of that work will be a challenge if you only have one IT auditor. The real strength of an in-house auditor is they will know the business, though. |
Good The big firms have the depth to review work properly and can add insight from their other clients. They have well-defined methodologies too. |
Good Automated auditing will offer benchmarking as well as objective issues. Yes, it’s reviewed for accuracy, but the automation will help make sure your audit doesn’t ‘skip bits’ that are too tough to audit (which is often the case for humans, I’m afraid) |
Other things |
In-house, you’ll get great flexibility, and someone you can call on to support those ad-hoc queries. There’s also speed of delivery. Our experience is that each audit can take 1-2 months to deliver in total. |
Outsourced staff are great at offering external insight. Also, a report issued by a well-known firm carries a weight all of its own. However, outsourced function planning can be inflexible (they tell you when they’ll audit), and can take a long time too (1-2 months to report) |
Automated audits mean you’re in control of timing, and that you waste less time on idle chit-chat and explaining the basics to the auditor again. The audit can be completed in days or, in the simplest cases, even hours. |
Conclusion
Ultimately, it’s a choice. If cost is important to you, then you should consider a Pebl1 automated internal audit plan. If business knowledge is critical, then in-house. If niche or specialist skills are important, then you probably outsource. We wouldn’t try to tell you that automated auditing is perfect for everyone, but it does have a role in what is becoming a more competitive industry.