Tentative Classification Standards issued by the Division of Classification & Compensation are shared with the operating agencies of State government for their consideration and comment. Accordingly, this document that you are viewing is subject to change and will be issued in final form at the completion of the review period.




Occ. Code 0472110










New York State Department of Civil Service


Classification Standard


Positions in this series establish and maintain an internal audit function that complies with the Institute of Internal Auditors Internal Standards for the Professional Practice of Internal Auditing at the Office for Information Technology Services (ITS). The positions perform similar duties as auditors of non-IT systems that require the ability to document process flows, interview staff, identify risk areas and controls, and develop tests of controls.  In addition, the positions develop tests of controls over IT related systems such as devices, operating systems, databases, and applications.



INFORMATION SYSTEMS AUDITOR 1 (ITS): full performance level; reporting to Information Systems Auditor 2 (ITS), the positions audit IT systems and controls.


INFORMATION SYSTEMS AUDITOR 2 (ITS): first supervisory level; reporting to an Information Systems Auditor 3 (ITS), the positions develop audit plans and supervise Information Systems Auditor 1 (ITS). 


INFORMATION SYSTEMS AUDITOR 3 (ITS): second supervisory level.  Reporting to the Director of Internal Audit, the positions administer the IT audit program and supervise Information Systems Auditor 2 (ITS).




·       Develop or follow audit plans of computer systems or operations in accordance with applicable auditing standards such as the Institute of Internal Auditors.

·       Obtain prior working papers, reports, and other documents and materials to gather an understanding of areas under audit.

·       Analyze business unit activities and assess risk levels to determine areas for audit.

·       Review and evaluate computer systems to determine if applications system controls are adequate.

·       Analyze and evaluate the adequacy of IT policies and procedures.

·       Evaluate systems and procedures relating to audit areas for compliance with applicable laws, rules and regulations and contract terms.

·       Evaluate agency systems and IT operating practices for efficiency and effectiveness in meeting agency and legislative goals and priorities.

·       Examine internal controls to evaluate the extent to which proper and effective controls are in place for areas under audit.

·       Prepare and organize audit working papers to document the work performed and conclusions drawn during the audit.

·       Write narratives, preliminary audit findings, and conclusions based on the findings derived from the audit procedures.

·       Participate and/or conduct interviews with client personnel and perform walk-throughs to assist in the evaluation of internal controls.

·       Examine transactions including purchases, contract payments, and personnel hiring to determine legitimacy, fraud, waste and abuse.

·       Interpret technical IT matters that comprise the documented control deficiencies for purposes of classifying significant deficiencies, material weaknesses, and exit conference points.

·       Review and evaluate the implementation of new systems to ensure that controls in the system are adequate and project management is utilized effectively.

·       Use computer-assisted auditing tools and techniques across various platforms to meet audit objectives.

·       Serve as lead auditor and oversee the work of trainees and students assistants on small, low risk or fairly routine assignments.

·       Discuss with audit team and auditee highly technical IT matters relating to deficiencies observed during control reviews.

·       Develop and perform adequate tests of control procedures to determine whether they have been placed in operation and are operating effectively.

·       Assess the effectiveness of the overall design and operation of related control procedures as it relates to the reduction of control risk.  

·       Prepare summaries of control deficiencies observed during IT control reviews which require the IT auditor to understand control procedures and determine whether they have achieved their objectives.

·       Conduct data analysis and data mining.


·       Define areas of activities to audit to ensure consistency and integrity of IT operations such as: application controls; web based applications; data center operations; identity and access management; system development life cycles; network security and firewalls; help desk and incident response programs; and change management systems.

·       Review and approve audit evidence and work papers prepared by staff for compliance with internal audit standards.

·       Develop audit plans of computer systems and/or operations and determine their impact on programmatic goals and objectives.

·       Provide recommendations to ITS managers and executives based on internal audit findings.

·       Test functionality and logic of current system edits to determine any system deficiencies; potential areas of exposure, or weakness.

·       Design and review test techniques required to ensure the accuracy and integrity of the systems.  

·       Demonstrate expert working knowledge for members of the audit team on audit trails, verifying audit techniques built into the system, evaluating system checks and controls, and solve problems relevant to the systems internal controls as they emerge.

·       Use audit software programs to analyze large amounts of data to identify non-compliance with policies and procedures and fraud.

·       Administer periodic on-site reviews of disaster recover, informational and physical security of department systems and provide recommendations for improvements.

·       Perform the full range of supervisory duties such as performance evaluations, time and attendance, and hiring activities.





Non-Competitive:  a bachelors degree and three years of IT auditing experience*.


Promotion: one year of service as an Information Systems Auditor 1 (ITS).

Non-Competitive:  a bachelors degree and five years of IT auditing experience*, including two years of supervisory experience.


Promotion: one year of service as an Information Systems Auditor 2 (ITS).

Non-Competitive: a bachelors degree and seven years of IT auditing experience*, including two years of managerial experience.

*IT auditing experience must have been gained in any one or combination of the following: 

·       An auditor with responsibility for the audits of system development life cycle, including the writing and presentation of findings reports of technical issues to a non-technical audience.


·       An auditor with responsibility for the audits of physical and logical access controls, general IT controls, and application controls, including the writing and presentation of findings reports of technical issues to a non-technical audience.


·       An auditor principally engaged in audits of IT project management, telecommunication networks, software, and business continuity preparedness.


·       An information systems professional with responsibility for the analysis and evaluation of information systems, including platforms; network infrastructure; and operational practices.


·       As a field auditor with federal, state, or municipal agency, with the responsibility for performing comprehensive IT audits to determine the compliance of individuals or businesses.

Education/Experience Substitution: an associates degree may substitute for up to two years of experience; J.D. or masters degree may substitute for one year of technical experience; Ph.D. may substitute for two years of technical experience.

Date:  6/18

NOTE: Classification Standards illustrate the nature, extent and scope of duties and responsibilities of the classes they describe.  Standards cannot and do not include all of the work that might be appropriately performed by a class.  The minimum qualifications above are those which were required for appointment at the time the Classification Standard was written.  Please contact the Division of Staffing Services for current information on minimum qualification requirements for appointment or examination.