What you need to know about IT

Auditors and regulators: Time to hire more IT grunts?

09/15 FCW Magazine Feature.

Regulators and auditors have long been management analysts and accountants. But in a world where technology permeates everything — and presents new risks — should IT proficiency be a priority for overseers?

It becomes a matter of asking: “Do the watchers have a flashlight that works?” NASA Inspector General Paul Martin said.

It turns out those flashlights can be few and far between. Inspectors with IT proficiency are in short supply in both industry and government.

In the financial sector, for instance, four primary agencies are responsible for examining tens of thousands of institutions, as the Government Accountability Office detailed in a July report.

Although NBC News quoted Dmitri Alperovitch, co-founder of computer security company CrowdStrike, as saying that hackers could wreak “absolute havoc on the world’s financial system for years” by altering electronic bank records, there are only a handful of IT-proficient regulators.

Among the findings in GAO’s recent report:

  • The Federal Deposit Insurance Corp. has 60 “premium IT examiners” to review more than 4,000 financial institutions.
  • The Office of the Comptroller of the Currency has 100 IT specialist examiners to monitor 1,500 institutions.
  • The National Credit Union Administration has roughly 50 IT specialists for the 6,200 credit unions it monitors.
  • The Federal Reserve System has some 85 IT examiners for the 5,500 institutions under its watch.

What you really need to know about tech

09/15 FCW Magazine thumbnail image.


Agency heads


Auditors and regulators

You can also view the print version of this package in our digital edition.

GAO auditors said a generalist examiner who has some IT training often reviews the cybersecurity situation at small and midsize banks, which means those institutions are receiving less-than-optimal analysis and advice.

A similar scarcity persists in IG offices. At NASA, Martin said, there are 80 auditors in the IG’s office, but only five of them have IT expertise.

“They are very difficult to retain,” he said of IT-proficient auditors. “We tend to poach from each other in the IG community.”

The lack of expertise hinders thorough reviews. “I think every agency has no doubt dozens of IT audits or reviews that should be done” but aren’t due to a lack of tech-savvy auditors, Martin added.

What auditors should know

Martin has criticized the checklist nature of Federal Information Security Management Act reports in the past, noting that FISMA “doesn’t get down onto the ground” to deeply assess security.

“You don’t want to have a bus driver be the flight examiner for a Boeing 747 pilot just because he can follow a checklist,” said Montana Williams, senior manager of ISACA’s Cybersecurity Practices. “If you’re not a cybersecurity professional, how can you audit cybersecurity?”

Among the skills regulators and auditors should have is “detailed knowledge of the operating systems and the technology in operation” at the agencies or institutions they’re monitoring, said Gregory Wilshusen, GAO’s director of information security issues.

“They have to understand security policies and procedures and how they are implemented, and they have to understand technical security controls to be able to judge, ‘Are they implemented and operating as intended?’” he added.

Those skills can be difficult to pick up on the fly, which is why some experts advocate looking for people who have an IT background.

“I’ve found the best IT auditors are former IT grunts,” notes Mack, an IT auditor and author of the ITauditSecurity blog. The blog keeps a running tally of the skills IT auditors should have, from basic typing to understanding permissions and knowing how networks, applications and databases interact.

However, Williams and Martin both said that even IT-proficient auditors need continuous training to stay sharp. Williams plugged the Cybersecurity Nexus training program he runs at ISACA. Martin said IGs need to find specialized training for their auditors because the Council of the Inspectors General on Integrity and Efficiency’s training program does not offer the necessary cybersecurity courses.

Martin added that tech can be a boon, not just a burden, for regulators and auditors, and he cited the analytics work done by the National Science Foundation’s IG as an example.

In the meantime, experts advise making the most of the resources you have.

“We matrix our teams,” said Martin, explaining that one IT pro can support a bigger team of reviewers to make audits more effective.

About the Author

Zach Noble is a former FCW staff writer.


  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

  • Comment
    Pilot Class. The author and Barbie Flowers are first row third and second from right, respectively.

    How VA is disrupting tech delivery

    A former Digital Service specialist at the Department of Veterans Affairs explains efforts to transition government from a legacy "project" approach to a more user-centered "product" method.

  • Cloud
    cloud migration

    DHS cloud push comes with complications

    A pressing data center closure schedule and an ensuing scramble to move applications means that some Homeland Security components might need more than one hop to get to the cloud.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.