Tips to Help Non-Technology Auditors Manage Technology Audits in Government

This article is one of a 7-part series on “Technology Auditing Strategies” co-authored by Eric Stewart and Roberto Calderon.

In today’s technology-heavy world, working “outside of your area or industry” is a common experience. People may use certain skills acquired throughout formal training or university education to work in a somewhat unrelated field to the actual training or educational background. Nonetheless, even when one’s position presents some deviation from the actual studied major or intended career, there are certain skills that are transferable across career paths. Management is one of these skills, which can be used in almost all industries.

Management involves serving as serving as decision-maker with authority over others’ actions. Since management is a transferable skill, it can be applied to any number of projects regardless of previous background education or even related to the field work experience. However, can an individual with management skills alone succeed in a role, such as the lead of a technology-heavy audit? The answer is cloudy. An individual needs to have an acumen that allows for adaptability to technology contexts, even if their direct experience is not related to coding or technology infrastructure.

When it comes to Federal technology audits, a non-technology person could still be assigned a management position. In fact, often the person leading an audit is more of an expert at audit methodology and must rely on technology experts for the most technical aspects of the work. While the audit manager may not be very familiar with all the technology expertise and terminologies, there are certain terms that could assist the person in their leadership responsibilities. For example, it is helpful for an auditor examining software development to understand the difference between the waterfall model, which involves linear development towards a final product, and modern agile approaches, which provide more flexibility and allow for iterative development, rather than linear phases. The following tips might provide extra help:

1. Adhere to audit process. First and foremost, make sure your team understands GAGAS and internal quality control standards throughout the audit.
2. Include subject matter experts (SMEs) in planning. A technology audit isn’t just about technology. The technology is usually meant to facilitate some aspect of a program. Make sure your team includes experts knowledgeable about the program. Input from SMEs may provide extra necessary feedback in the process.
3. Include administrative resources with technology expertise. Audits involve a LOT of documentation. Make sure your team has tech savvy individuals to keep you organized.
4. Study guidelines for government IT audits. GAGAS has been mentioned above but there is also the Federal Information Security Management Act (FISMA) which is the law that defines guidelines and rules for protecting Federal information, operations, and assets. Knowing these guidelines is important when requesting and managing information during an audit.
5. Become best friends with your technology resources. Put your best technology resources on speed dial. Management of resources can be extremely helpful in situations when external factors affect the audit process.
6. Ensure you create an accurate Entity Profile. Document the technology infrastructure in a way that allows non-technology readers insight into the program being audited.
7. Remember your audience may be non-technical too. If you don’t understand something, your readers may not either. As an audit expert, you have the unique capability to translate complex technical topics in a way that non-technical resources can understand.

In short, a good auditor can be successful, even when the subject matter of the audit is outside their area of familiarity. The key to success includes leveraging basic leadership skills to manage a team with diverse skillsets. Always remember that the manager of any audit must first be a master of basic audit processes. The expertise for other areas can be outsourced, but the auditor must have the acumen to know where the expertise will be most effectively applied.