The annual Internal Audit Priorities Report released by MISTI states that “when co-sourcing or hiring outside assistance, CAEs most often want help with IT security expertise.” Let’s talk about that for a bit.

Ask any IT expert, and they’ll rattle off the top concerns companies have about their security environment: user awareness, secure application development, and understanding of the cloud and what critical data you’re moving into the cloud.

Those are some heavy concerns to consider that require some expertise beyond accounts payable auditing knowledge.

Good IT auditors are in high demand and they know it. Lucky for larger companies, they can afford to hire full-on IT audit teams. But what about the smaller shops that need just as much IT expertise as the next Joe but can’t afford it? Since the IT security threat doesn’t go away for small companies, it’s time to explore cost-effective options. Here’s where consultants come in.

Finding the right consultant for your company can be challenging. Jason Claycomb, principal at INARMA, performs cybersecurity and IT governance consulting. He’s also a MISTI trainer. Claycomb shares a few tips to help you find the best IT consultant for your needs.  

When IT consultants are cost-effective

When deciding to hire a consultant, you have a choice between an independent consultant (small firm) or a medium to large firm (think Deloitte or Ernst & Young).

An independent consultant might be a wiser choice for small audit teams. For starters, if you bring in an individual for small projects, they’ll bill for fewer hours during that project. At the same time, they will get to know your company, processes, and politics. When a larger project requires IT expertise, the same consultant will need very little ramp-up time and can jump right in and begin working.

The relationship between audit shop and IT consultant is reciprocal: “From the consultant’s side it’s an opportunity to get in the door and build a relationship,” says Claycomb. “From the business side, they can put someone in for the small term, and then the company can use the consultant for the bigger projects later.”

Sometimes choosing a small-business consultant can be a bit of a maverick decision, so it’s worth using a few insider tips to find the right individual.

MISTI and other training companies (The IIA, Gartner, and others) will have a list of subject-matter experts that offer a variety of IT courses. Most of the time, they run consulting companies alongside their training schedules. You can research these trainers online, attend seminars, or just give them a call to learn about their philosophy and their specialties.

Keep in mind that both large-firm and independent consultants might accept smaller projects to have the opportunity to get their foot in the door.

Although larger firms come with a reputation, they also come with a higher price. Additionally, the bigger firms are more apt to bait and switch than a mid-sized company or small firm. Although this point may not be a deal breaker for your company, it is something to be aware of.

Find someone with industry expertise

IT encompasses a wide range of specialties, and no single consultant can know everything (or can they?). You can narrow consultants by finding a consultant who specializes in your top IT concerns and understands your company’s industry.

As far as IT specialties range, some different facets of IT include cybersecurity, endpoint protection, mobility, and threat intelligence. Some consultants will have more experience than others. You might need an IT consultant with some social skills to help you navigate the politics of IT issues. Conversely, emotional intelligence might rank low as you need an IT person who works solely with other IT people.

One way to look for industry expertise is to get referrals from a similar business. For example, Chicago has about a million banks. Although they might not be in direct competition with one another, all of these banks are in relatively the same industry and encounter similar problems.

Auditor tip: Not all consultants with specific expertise (e.g., cloud security) will know your exact industry or the specific questions they should ask. So if one company in your line of work is praising a consultant’s name, it might be worth looking into that consultant.

Look for both a practitioner...

Consultants don’t fit into a single mold – they can be straight out of college or have years of experience. Even more, IT consultants don’t even have to have been auditors.

“Consultants are great – we’ve seen a lot of different things,” says Claycomb, “But even better is someone who’s been more than just a consultant – particularly someone who’s been more than just an auditor.”

In other words, good consultants have practical experience from actually practicing in the industry.

When thinking of hiring an IT consultant, think outside of normal audit institutions. A good consultant could be someone who’s had a long-time relationship with the company who could act as a part-time employee. Or a consultant could have been part of the company in the past and will know the company, its finances, the management, and the politics.

Adds Claycomb, “longstanding relationships [from previous employees] might also understand management’s level of risk tolerance.”  

Claycomb makes a good point. If you choose someone out of college or a large consulting firm, you might have people who have worked for a few months or several years who never managed a company. “Choosing someone who’s helped manage a company [to consult for you] will provide a different and very beneficial view of the company.”

...and look for a good consultant

Practitioners who are also consultants can possess a different level of emotional and strategic intelligence. What that means is good consultants think in a way of framing the question to solve problems not just practically but also politically.

“I know people who are great practically but they aren’t a good consultant – because they can’t talk politically,” says Claycomb.

For example, a practical solver would say, “Do it like x, y, and z.” However, a consultant will conquer the solution in a larger way. They can help talk you through the business side of the problem by asking questions like, “What’s your ultimate goal out of this? Maybe you can try [a certain approach] to get to your goal.”

Good consultants will commiserate about the problem or challenge. They can listen well to a variety of different viewpoints and pick out the kernels of what everyone says.

But here’s the kicker: determining if you’d rather hire an IT expert with strategic business intelligence is important. Remember how I said consultants don’t fit a single mold?

Claycomb recounts his “hacker friend” who has fantastic book knowledge in the cybersecurity area of IT.

“He doesn’t want to talk to business people. He’ll talk techie all day. And he’s getting business by referrals from corporate security officers from the biggest banks in the world.”

Does his hacker friend make a great business consultant? Not really. But he makes an excellent cybersecurity consultant. His hacker friend gets to hang in his happy space where he’s with IT people who talk tech all day long. “Maneuvering business politics” are not part of his job description and that’s completely okay. But for a different IT consultant, business understanding may be in bold print in the job description.

Auditor tip: We all do better with a plan. To find an IT consultant, scribble a quick mind map by placing the IT issues in the main bubble. Radiating from the bubble list specialties the IT consultant would have (in a perfect world), such as cloud security knowledge, user awareness understanding, industry knowledge, social qualities, and more. Highlight your most important needs and begin your search. Find an extensive review of using mind maps here.


You can find IT consultants all around you if you’re ready to buckle down and do a little legwork. Past employees, retired executives, trainers from training firms, and business referrals are all excellent places to start.

Did you like someone in a seminar and like their advice in IT? If so, look them up and initiate a meeting.



Sarah Swanson
Writer and Trainer
Sarah Swanson is a professional writer with 17 years experience in technical, marketing, and audit report writing. Her NASBA-certified courses focus on corporate writing training for internal audit teams and finance groups.