TENTATIVE

Occ. Code 0472110

New York State Department of Civil Service

Classification Standard

BRIEF DESCRIPTION OF CLASS SERIES

Positions in this series establish and maintain an internal audit function that complies with the Institute of Internal Auditors’ Internal Standards for the Professional Practice of Internal Auditing at the Office for Information Technology Services (ITS). The positions perform similar duties as auditors of non-IT systems that require the ability to document process flows, interview staff, identify risk areas and controls, and develop tests of controls.  In addition, the positions develop tests of controls over IT related systems such as devices, operating systems, databases, and applications.

DISTINGUISHING CHARACTERISTICS

INFORMATION SYSTEMS AUDITOR 1 (ITS): full performance level; reporting to Information Systems Auditor 2 (ITS), the positions audit IT systems and controls.

INFORMATION SYSTEMS AUDITOR 2 (ITS): first supervisory level; reporting to an Information Systems Auditor 3 (ITS), the positions develop audit plans and supervise Information Systems Auditor 1 (ITS). 

INFORMATION SYSTEMS AUDITOR 3 (ITS): second supervisory level.  Reporting to the Director of Internal Audit, the positions administer the IT audit program and supervise Information Systems Auditor 2 (ITS).

ILLLUSTRATIVE DUTIES

INFORMATION SYSTEMS AUDITOR 1 (ITS)

·       Develop or follow audit plans of computer systems or operations in accordance with applicable auditing standards such as the Institute of Internal Auditors.

·       Obtain prior working papers, reports, and other documents and materials to gather an understanding of areas under audit.

·       Analyze business unit activities and assess risk levels to determine areas for audit.

·       Review and evaluate computer systems to determine if applications system controls are adequate.

·       Analyze and evaluate the adequacy of IT policies and procedures.

·       Evaluate systems and procedures relating to audit areas for compliance with applicable laws, rules and regulations and contract terms.

·       Evaluate agency systems and IT operating practices for efficiency and effectiveness in meeting agency and legislative goals and priorities.

·       Examine internal controls to evaluate the extent to which proper and effective controls are in place for areas under audit.

·       Prepare and organize audit working papers to document the work performed and conclusions drawn during the audit.

·       Write narratives, preliminary audit findings, and conclusions based on the findings derived from the audit procedures.

·       Participate and/or conduct interviews with client personnel and perform walk-throughs to assist in the evaluation of internal controls.

·       Examine transactions including purchases, contract payments, and personnel hiring to determine legitimacy, fraud, waste and abuse.

·       Interpret technical IT matters that comprise the documented control deficiencies for purposes of classifying significant deficiencies, material weaknesses, and exit conference points.

·       Review and evaluate the implementation of new systems to ensure that controls in the system are adequate and project management is utilized effectively.

·       Use computer-assisted auditing tools and techniques across various platforms to meet audit objectives.

·       Serve as lead auditor and oversee the work of trainees and students assistants on small, low risk or fairly routine assignments.

·       Discuss with audit team and auditee highly technical IT matters relating to deficiencies observed during control reviews.

·       Develop and perform adequate tests of control procedures to determine whether they have been placed in operation and are operating effectively.

·       Assess the effectiveness of the overall design and operation of related control procedures as it relates to the reduction of control risk.  

·       Prepare summaries of control deficiencies observed during IT control reviews which require the IT auditor to understand control procedures and determine whether they have achieved their objectives.

·       Conduct data analysis and data mining.

INFORMATION SYSTEMS AUDITOR 2 (ITS)

·       Define areas of activities to audit to ensure consistency and integrity of IT operations such as: application controls; web based applications; data center operations; identity and access management; system development life cycles; network security and firewalls; help desk and incident response programs; and change management systems.

• Perform audits of systems and applications to verify that systems and applications are appropriate, efficient, and are adequately controlled to ensure valid, reliable, timely, and secure input, processing, and output at all levels of a system's activity.
• Perform audits of information processing facilities to verify that the processing facility is controlled to ensure timely, accurate, and efficient processing of applications under normal and potentially disruptive conditions.
• Perform audits of systems development activities to verify that the systems under development meet the objectives of the organization, and to ensure that the systems are developed in accordance with generally accepted standards for systems development.
• Perform audits of IT management and enterprise architecture to verify that IT management has developed an organizational structure and procedures to ensure a controlled and efficient environment for information processing.
• Perform audits of client/server, telecommunications, intranets, and extranets to verify that telecommunications are in place on the client, server, and on the network connecting the clients and servers.

·       Review and approve audit evidence and work papers prepared by staff for compliance with internal audit standards.

·       Develop audit plans of computer systems and/or operations and determine their impact on programmatic goals and objectives.

·       Provide recommendations to ITS managers and executives based on internal audit findings.

·       Test functionality and logic of current system edits to determine any system deficiencies; potential areas of exposure, or weakness.

·       Design and review test techniques required to ensure the accuracy and integrity of the systems.  

·       Demonstrate expert working knowledge for members of the audit team on audit trails, verifying audit techniques built into the system, evaluating system checks and controls, and solve problems relevant to the systems’ internal controls as they emerge.

·       Use audit software programs to analyze large amounts of data to identify non-compliance with policies and procedures and fraud.

·       Administer periodic on-site reviews of disaster recover, informational and physical security of department systems and provide recommendations for improvements.

·       Perform the full range of supervisory duties such as performance evaluations, time and attendance, and hiring activities.

INFORMATION SYSTEMS AUDITOR 3 (ITS)

• Compile annual risk assessment of computer systems and/or operations.
• Develop and execute annual audit plan based on the significant risks identified in the IT audit field.
• Develop internal audit policies to ensure compliance with all auditing standards and governmental requirements.
• Direct internal audits including the testing of reliability of the systems of internal controls for ITS.
• Develop audit scope and approve audit programs to be followed by the audit team, and develop follow-up plans.
• Develop, implement, and maintain computer assisted auditing tools to be used by audit staff.
• Develop work systems and methods to effectively speed the conduct of audits and analysis work.
• Direct the development of final recommendations to provide assurance that internal controls of computer systems and/or operations are adequate.
• Evaluate agency policies and procedures to ensure that assets and resources of ITS are safeguarded and utilized properly.
• Review formal written reports setting forth recommendations for management to strengthen and improve computer systems and/or operations, as well as identify cost or efficiency savings.
• Work directly with executive staff on organizational and operational problems, identifying root causes and providing recommendations.
• Conduct reviews of all products of audit work performed by staff (work papers, testing and sampling plans, status reports, draft issues, etc.) to ensure that audits adhere to applicable governmental auditing standards.
• Provide guidance and oversight to subordinate staff, and intervene and resolve problems.
• Perform the full range of supervisory duties such as performance evaluations, time and attendance, and hiring activities.
• Identify staff training needs and arrange for training.
• Manage and direct program activities by setting priorities and deadlines.

MINIMUM QUALIFICATIONS

INFORMATION SYSTEMS AUDITOR 1 (ITS)

Non-Competitive:  a bachelor’s degree and three years of IT auditing experience*.

          INFORMATION SYSTEMS AUDITOR 2 (ITS)

Promotion: one year of service as an Information Systems Auditor 1 (ITS).

Non-Competitive:  a bachelor’s degree and five years of IT auditing experience*, including two years of supervisory experience.

          INFORMATION SYSTEMS AUDITOR 3 (ITS)

Promotion: one year of service as an Information Systems Auditor 2 (ITS).

Non-Competitive: a bachelor’s degree and seven years of IT auditing experience*, including two years of managerial experience.

*IT auditing experience must have been gained in any one or combination of the following: 

·       An auditor with responsibility for the audits of system development life cycle, including the writing and presentation of findings reports of technical issues to a non-technical audience.

·       An auditor with responsibility for the audits of physical and logical access controls, general IT controls, and application controls, including the writing and presentation of findings reports of technical issues to a non-technical audience.

·       An auditor principally engaged in audits of IT project management, telecommunication networks, software, and business continuity preparedness.

·       An information systems professional with responsibility for the analysis and evaluation of information systems, including platforms; network infrastructure; and operational practices.

·       As a field auditor with federal, state, or municipal agency, with the responsibility for performing comprehensive IT audits to determine the compliance of individuals or businesses.

Education/Experience Substitution: an associate’s degree may substitute for up to two years of experience; J.D. or master’s degree may substitute for one year of technical experience; Ph.D. may substitute for two years of technical experience.

Date:  6/18

NOTE: Classification Standards illustrate the nature, extent and scope of duties and responsibilities of the classes they describe.  Standards cannot and do not include all of the work that might be appropriately performed by a class.  The minimum qualifications above are those which were required for appointment at the time the Classification Standard was written.  Please contact the Division of Staffing Services for current information on minimum qualification requirements for appointment or examination.