Evaluating IT solutions with the adequate level of IT security controls over IT resources requires a detailed principles and practices understanding. Regarding audit staffing, potential ISG engagement members should have the appropriate seniority and proficiency. Generally, when ISG audit objectives involve a wide range of information system functions, assigned audit personnel should have extensive organizational knowledge and related processes understanding. These audit personnel criteria can be satisfied through a combination of formal education, relevant certification and/or professional experience.
If after evaluating potential in-house audit engagement candidates, audit management determines the IT audit function does not have the required skill set, professional service outsourcing may be considered to enable an ISG audit or review. For example, IT audit staff members may not have the appropriate business, technical, and/or framework knowledge to adequately perform a scheduled ISG audit in a timely manner. Hence, audit management may consider ISG audit outsourcing to complete the scheduled engagement.
“View Part I of the Auditing Information Security Governance series here“