Information Technology and Security Audits: What to Outsource and What Internal Auditors Can do for the Best Results

Information Technology and Security can be a tricky topic for many Internal Auditors. For most of us, we know we don’t have the technical knowledge to audit this area, but want to ensure that it is appropriately addressed in our risk-based audit plan. That typically means hiring an external specialist. And rightfully so! It is our duty as auditors to know our limits and understand when we need to hire a subject matter expert to do the testing that we simply do not have the skills to complete.

But what about the parts of the IT & security processes that we do understand? If you read this blog regularly, you know Olivia and I believe you don’t need to be the expert in a subject to perform a quality audit. Is Information Technology and Security any different? Is there a way for us as Internal Auditors to address some of the risks associated with Information Technology and Security between our external audits of this area? Would this even be beneficial to our organizations? These are all the questions we asked ourselves when a subscriber reached out to us asking for such a program.

At first, we didn’t think we could add much value to this process, but we did what any good auditor should do… research! We reached out to experts in our network to find out how Internal Auditors with limited technical knowledge could bring a fresh perspective and add value to this process. The final result is a 27-step audit program that allows any Internal Auditor to complete this project with ease!

We worked directly with Fellen Yang, a Senior Manager of Risk Advisory and Cybersecurity to create this program, and couldn’t be more pleased with how it came out. I recently chatted with Fellen to provide you with some more information on her expertise and to see how she thinks this collaboration could add value to your audit shop!


John Kaneklides: Tell me a bit about yourself and your background.

Fellen Yang: I live in Charlotte, North Carolina and started working in IT Audit by supporting financial statement audits at PriceWaterhouseCoopers. Before that I worked at a technology company designing motherboards. I have a grad degree in Decision and Information Systems Sciences. After my work at PWC I went to work at Wells Fargo, focusing on project management for international projects (risk assessments, compliance, etc.). Then, I worked with RSM, which gave me much more exposure to working with Internal Auditors, FFIEC, FDIC, OCC, NCUA, etc. I continued my career at Elliott Davis focusing on Internal and External Audits. About half of my time is spent conducting IT and security audits, and consulting projects such as data governance.

JK: That is quite an extensive resume and it seems you had just the experience we needed to work on this project together. Speaking of this new audit program, how do you think this collaboration can help our mutual clients.

FY: Based on my experience, I have realized there are a lot of gaps that many financial institutions don’t know about or have enough resources to put a program like this together. Smaller institutions are making due with limited resources and a program like this will help them do a successful gap analysis. At firms, we don’t like to have a lot of findings and we want our clients to do their best to cover all the risks associated with IT and security. This audit program will help a financial institution identify what could be a surprise and can streamline the process before you have someone from outside the company correct an issue.

JK: It sounds like this program can really benefit an organization. If you were coming into your annual Information Technology and Security audit at an organization and you saw that the auditor had completed this project, would that alter your audit program?

FY: If they have followed the procedures outlined in the program, they should have all the documentation in place and all the key points together. This would save us as external auditors a lot of effort. Consequently, it would allow us to focus on the real issues, or real risk. We could spend more of our time on higher risk issues and help and consult the financial institution of a process that is much easier for them to follow. These time savings, on our end, would also allow us to give more specific advice! As I am sure your subscribers know, it is impossible to address everything, but if an audit department had completed this program before we came in, we could better address more risks for your financial institution.

JK: So, when do you think it would be beneficial for an Internal Audit department to complete this audit program?

FY: This program could be completed anywhere from 6 months to one quarter prior to when we come in for our IT and security audit.

JK: Do you think an auditor with little to no knowledge of IT and security could complete this audit program?

FY: YES! Any competent auditor should be able to follow this program with ease. Many of the areas in the IT audit do not require specific IT knowledge, such as the FFIEC guidelines. The auditor should have an understanding of the risks at hand, but we have built that into the program.

JK: Can following this program help an Internal Audit department understand IT and security more?

FY: Yes. It will also help the IT department by having the auditors understand IT on a strategic level. Because, if no one understands what you are doing, how can you get the support you need?!

JK: How long would you estimate this program would take for an auditor to complete?

FY: 35-40 hours should be sufficient time.

JK: I know we have touched on this before, but how do you think this program could add value to an organization?

FY: It could help add so much value. It would help prevent surprises when the external IT specialists/auditor come in. It would also help management address another level of potential issues that regulators will look at. With regulations slowly becoming stricter, this will help financial institutions save time in the long run.

JK: Fellen, it has been such a pleasure to work with you on this project and I look forward to more collaboration in the future!

FY: Thank you, John! I look forward to it as well. I hope your subscribers put this program to use and find that it adds value to their organization.


If you are a subscriber, download our IT and Security Audit Assistance program for Credit Unions or banks today. Let us know what you think of it and how you are putting it to work at your organization!

Share on facebook
Share on twitter
Share on linkedin