Gartner Research

Internal IT Audit: Friend, Not Foe

Published: 31 March 2006

ID: G00203168

Analyst(s): Fred Cohen


Internal auditors are often in an adversarial position with those they audit, but the wise manager leverages internal audit to improve performance and to avoid surprises. This overview will discuss how to use internal information technology (IT) audit staff to benefit the enterprise, ranging from scheduling for most effective coverage of most important systems, to coverage and depth of review, to special assignments, to how to respond to internal audit and when to ask them to come in for a review.

Table Of Contents



  • Internal IT Audit Can and Should Be Better Applied
  • What Should Be Audited and When
  • How to Get the Audits the Enterprise Needs
  • Responding to Audit Findings
  • How to Allocate Limited Audit Resources
  • Normalizing Audit
  • Separation of Duties Issues
  • Recommendations
    • Use Audit to Measure Program Metrics
    • Allocate Audit Resources Proportionally to Consequences
    • Compensate for Inadequate Management Feedback with Audit
    • Make Sure All Workers Understand What the Audit Program Is and Does
    • Handle Uncooperative Auditees Through HR Actions
    • Measure and Report Program Progress Through Audit
    • Keep Internal Audit Independent but Help to Set Their Agenda
    • Use Internal Audit to Optimize the Protection Program

The Details

  • Assumptions
  • Internal IT Audit
  • Auditors Are Feared and the Fear Must End
  • What Are the Uses of Internal IT Audit and Which Ones Benefit the Security Program?
    • The CISO Does Not Own Most Protective Functions
    • Normal Management Feedback Is Not Available to the CISO
    • Feedback Is Indirect
    • How Controls Work
    • Outsourcing Controls
  • What Should Be Audited, How Often, and to What Level of Depth?
    • What Basis Might We Want For Audit Frequency?
    • What Should the CISO Choose?
    • What Are the Costs?
  • Why You Should Be Asking for More Audits, Not Fewer
    • An Example for Clarity
    • How Often Do We Do What and How Does That Translate to Costs?
    • How Many Auditors?
    • How Much Audit Do You Have Today?
    • Do You Have What You Need?
    • A Major Problem with This Approach
  • Generating a Special Assignment for an Audit Team
    • Special Audit Requests for High-Risk Situations
    • Alternatives to Special Audit Requests
  • Example of Applying Resource Allocation Optimization Method
    • Allocating Resources from Highest Consequence Down
    • Using Proportional Audit Allocation
  • When to Ask for an Audit
    • New Systems Coming On Line
    • Substantial Changes to Existing Systems
    • Incident-Driven Audits
    • Regulatory Audits
    • External Audit Finding Responses
    • Other Requested Audits
    • Systems Not Audited for Long Periods of Time
  • How to Prepare for an Audit
    • What Auditors Want
    • What Most Audit Targets Want
    • Reconciliation
    • What Works and Why
    • Why This Is a Bad Idea
    • When This Fails
    • The Best Preparation
  • How to Respond to Audit Findings
    • Responding to Normal Audits
    • Pushback in Normal Audits
    • Responding to Internal Audits of Management Metrics
  • Normalizing the Internal Audit Process


©2020 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates. This publication may not be reproduced or distributed in any form without Gartner’s prior written permission. It consists of the opinions of Gartner’s research organization, which should not be construed as statements of fact. While the information contained in this publication has been obtained from sources believed to be reliable, Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner research may address legal and financial issues, Gartner does not provide legal or investment advice and its research should not be construed or used as such. Your access and use of this publication are governed by Gartner’s Usage Policy. Gartner prides itself on its reputation for independence and objectivity. Its research is produced independently by its research organization without input or influence from any third party. For further information, see Guiding Principles on Independence and Objectivity.

Already have a Gartner Account?

Become a client

Learn how to access this content as a Gartner client.