How many IT auditor needed in every company?

How many actually IT auditor needed in every company?
One is enough.

This is common question from board of director of a company who doesn’t know or quite new about IT auditing. For me, one IT auditor is enough for a company who doesn’t have any experience with IT auditing matter.

Didn’t agree? Why? Because in my view I see a lot of company who doesn’t have an IT auditor. There is still a very big number of company who doesn’t have. Demand is high, but the gap between management knowledge and expectation is also high. Many executive don’t know what is IT auditor role in the company. So again, one is more than enough.

If the awareness of BOD increasing then we should talk deeper about this situation. The ideal number of IT auditor is about 3-4% from the total IT person, or from the total IT budget in a year. For example if your IT department spend more than 100 million USD each year, the around 3 million should be spend for IT auditing matter.

Others scenario would be following the number of financial auditor in the company. If the company has 10 person for financial auditor then 2 or 3 person for it auditor is enough then. The IT auditor of course smaller then financial auditor.

Do you agree with this simple rule? However, based on my experience, since the number of company who doesn’t have a IT auditor is bigger then my answer is just same as the beginning: one is enough.

So how about your company?