12 May 1937, was a very good day for Albert, more formally known as Albert Frederick Arthur George Saxe-Coburg-Gotha.1 The day before, he had been merely the Duke of York. But on 12 May, he became King George VI, the King of England.2 As king, Albert was said to have taken his unexpected kingly responsibilities seriously and, notably, was the first British monarch to visit the United States.3 How did Albert find himself in such a fortunate situation? His brother Edward VIII abdicated the throne. The reasons why are better left for another time. But what makes Albert and Edward’s story relevant to the field of audit is abdication, or the relinquishing of responsibilities by 1 party and the acceptance of those responsibilities by another.
In the 2022 report IT Audit Perspectives On Today’s Top Technology Risks by Protiviti and ISACA, 67% of respondents self-identified as having (or having access to) the talent or skills necessary to perform their duties.4 Of that same group, when asked about their primary strategies for acquiring talent and skills, 56% said that they would train/develop existing employees, 21% said that they would hire new employees, and 15% indicated that they would co-source employees.5 To distinguish between outsourcing and co-sourcing, co-sourcing can be defined as an audit function’s active participation with another group to leverage that group’s specialized skills/knowledge or availability with the objective of enhancing the audit function’s own skills/knowledge.
Co-sourcing can be defined as an audit function’s active participation with another group to leverage that group’s specialized skills/knowledge or availability with the objective of enhancing the audit function’s own skills/knowledge.
Organizations that opt to develop their existing staff are able to access the skills required to meet their audit needs. At the same time, auditors are growing their careers through ongoing practical professional development. For the “have-not” enterprises (the 33% that do not already have access to the necessary talent or skills), is co-sourcing underutilized as an option to meet IT audit talent demands? Without data specifically concerning this area, it is difficult to know. But I can say with certainty that there are perceived barriers to co-sourcing.
Those who are dedicated to the practice of IT audit receive an introduction to due professional care or the concept of having adequate knowledge and professional competence to do their jobs early in their careers.6 Due professional care creates a sense of responsibility and accountability that auditors closely associate with their work. So, it stands to reason, that auditors may resist relying on others to complete work for which they are responsible. After all, who wishes to be perceived as dodging their responsibilities, or abdicating?
Due professional care creates a sense of responsibility and accountability that auditors closely associate with their work.
There are a number of suggestions for overcoming the perceived barriers to co-sourcing, including:
- Self-educate. Once the audit topic has been identified, the auditor can self-assess areas where knowledge or skills are needed. If formal training is not available, on-demand resources can be accessed. Once the internal or external subject matter experts (SMEs) are available to collaborate on the project, the auditor will have already identified and addressed the high-priority areas where enhancements to their knowledge base are needed.
- Participate actively with SMEs. Many auditors may have reached points in their careers where they typically serve as mentors. When co-sourcing, however, the roles may be reversed and the auditor may act as the mentee. That is perfectly acceptable. The auditor should reflect on early career experiences and revisit the role of learner. They can ask questions and initiate discussions to ensure that their understanding of newer technology and performance of newly acquired skills are accurate. Participating in testing when possible is advisable.
- Self-evaluate. As the project is coming to its end, the auditor should take an opportunity to reflect. Were the knowledge or skill areas identified at the beginning of the project still relevant? Or did the project reveal other areas where knowledge and skills should be enhanced? It is possible that areas thought to be important initially are actually lower priority in the larger picture. It is important to conduct this self-evaluation as the project is ending, not after it has ended. The internal or external resources with whom the auditor partnered are still engaged with the project. So, they are still available for guidance on addressing knowledge or skill deficiencies.
Conclusion
As the number and complexity of topics in which IT auditors are expected to have expertise continues to grow, co-sourcing is an available but not often used option. As a purposeful partnership with internal or external resources, co-sourcing simultaneously meets enterprise objectives and facilitates upskilling. This partnership makes sure that auditors are not in jeopardy of abdicating anything. Like Albert, auditors are in a fortunate situation. They retain the due professional care that is a hallmark of the profession while actively developing the knowledge and skills needed to remain up-to-date.
Endnotes
1 Biography.com, “George VI,” 27 April 2017
2 Ibid.
3 History, “King George VI Becomes the First British Monarch to Visit the United States,” 9 February 2010
4 ISACA®, Protiviti, IT Audit Perspectives on Today’s Top Technology Risks, USA, 2022
5 Ibid.
6 ISACA, Information Technology Audit Framework (ITAF), USA, 2020
Robin Lyons, CISA, CDPSE, CIA
Is a professional practices principal leading ISACA’s IT audit practice. She works with IT audit, risk and governance professionals by developing guidance and tools that assist them in their practices. Before joining ISACA®, Lyons was a Payment Card Industry Data Security Standard (PCI DSS) subject matter expert for a Fortune 200 enterprise and an internal audit director for an institution of higher education.