I've been asked to write a job specification to hire an IT auditor for a firm that has never had one. I'm not an IT Auditor, but have had IT auditors assigned to my project teams in the past. I've found that the skills the people brought to the team varied substantially. Will appreciate receiving your thoughts on the skills, experience, training that you believe are essential for an IT auditor to be effect in two situations:

1 - a broad internal audit-internal controls services practice performing standard general controls and applications controls reviews in a variety of environments.

2 - for performance of SAS70 services.

Many thanks

This is what we used:
General Summary
This position will report to the Senior Audit/IT or Audit Manager/IT within the Internal Audit Department (IA). The Internal Auditor/IT will be responsible for the assisting in the planning and participating in conducting the information system audits for assigned business units in addition to evaluating the risk levels, business activities, and management controls in those areas to assess the adequacy of the information system control environment. This position is also responsible for the Information Systems (IT) audit work plan related to Sarbanes-Oxley Section 404. Work involves planning, preparing documentation, interviewing clients, designing test procedures, and executing and facilitating testing with other groups. Technical reviews of controls related to Access, Change Management, Manage Data, Network/Workstation Security, and Mainframe/UNIX/Windows operating systems. This position will require strong analytical skills and a thorough understanding of information technology and related Sarbanes-Oxley requirements. Working knowledge of all applications utilized throughout the organization is essential.


Principal Duties and Responsibilities
1. Establish audit objectives and assist in the development of the audit program, including time estimates, plan of work and steps necessary to collect data and document findings.
2. Develop audit tests that maximize efficiency and effectiveness of the audit process, ensuring a high-degree of assurance.
3. Perform audits in accordance with professional and Company standards.
4. Assist in ensuring adequate audit planning occurs to obtain an underlying understanding of the business process, ensuring a high-degree of assurance.
5. Participate in planning special projects to meet the needs of management.
6. Develop and execute Sarbanes-Oxley Information Technology testing activities.
7. Participate in coordinating and performing audit assignments, reviewing the efficiency and effectiveness of departmental operations, the adequacy of internal controls, and verifying compliance with regulatory and contractual requirements.
8. Execute audit work to assess the adequacy of the Information Systems control environment supporting the identified business processes and their related risks.
9. Work collaboratively with IA management to ensure audit results (i.e. report) clearly communicate the identified risks/exposures and their identified root cause(s) to business unit and executive level management.
10. Work collaboratively with business unit management when they are developing action plans to address identified risks/exposures by providing relevant and practical recommendations.
11. Assist in the implementation and maintenance of audit productivity tools.
12. Identify output, process measures, establish data collection plans, monitor process performance
13. Assist in the implementation and use of data analysis tools (e.g. ACL, Microsoft Access/Excel) to support the overall internal audit function.
14. Continuously enhance personal understanding of the Company’s strategy, business model, and business processes.
15. Oversee change initiatives to ensure that they occur by agreed to deliverable dates.
16. Analyze audit test results and summarize qualitative findings in order to provide Senior Management with detailed recommendations.
17. Review the reliability and integrity of IT processes and the internal control systems used to report such information.
18. Review various IT system controls established to ensure compliance with applicable policies, plans, procedures, laws and regulations.
19. Evaluate potential exposure or risk in various CCH IT operations.
20. Review and analyze IT systems to determine if opportunities exist for integrating, reducing and/or improving current subsidiary processes.
21. Analyze various financial reports to ensure data being utilized at the user level is timely and accurate.
22. Follow-up on action plans for IT remediation items from audits to ensure timely implementation.
23. Consistently monitor IT compliance issues and determine what intervention is needed to ensure that subsidiaries are in compliance with CIS Policy and Procedures.



Education and Experience
1. Bachelor’s degree (BA/BS) in computer science, information systems, or accounting required.
2. 2 - 5 years of experience in auditing information systems, system security or internal audit, specializing in application processing or operating systems platforms.
3. Professional designations – CISA, CIA, CPA, CISM, and CISSP, and CFE are preferred.
4. Knowledge of all applications utilized throughout the organization preferred.

Skills
1. Technical expertise, objectivity, and unquestioned integrity are essential elements of this position.
2. Working knowledge of Sarbanes-Oxley Act Section 404 in addition to proven aptitude of IT auditing principles and IIA principles.
3. Demonstrate a practical knowledge or application of COBIT Framework.
4. Organizational and time management skills a must.
5. Strong interpersonal skills and the ability to successfully interact with various levels of business unit management.
6. Excellent PC skills, Microsoft Office Suite products (Word, Excel, Access, PowerPoint) and familiarity with MS Project, Visio flowcharting and audit productivity software packages.
7. Superior analytical skills and overall business acumen.
8. Communication skills: verbal, written, and listening.

Abilities
1. Ability to produce thorough, accurate and reliable work while meeting deadlines.
2. Ability to learn, retain and apply specific job knowledge and technology required for the job.
3. Ability to solve problems in a timely manner, using research and reasoning to develop solutions.
4. Ability to communicate complex information in a clear and concise, manner to an IT and non-technical audience.

Behaviors
1. Excellent customer service to internal and external customers.
2. Demonstrates dependability, accountability, flexibility, and adaptability.
3. Demonstrates initiative; creates innovative solutions.
4. Adheres to Company and Departmental policies and procedures.