I’m getting discouraged. I’m starting to wonder how many audit departments follow auditing standards, say, from IIA or ISACA. After some of the IT audits and IT SOX audits I’ve seen in the past year, who knows.
Some companies take their control owner words as gold and don’t verify them.
“They wouldn’t give you the information if it wasn’t true! Audit the evidence you’re given and quit questioning everything!” said one audit director. Excuse me, but doesn’t ISACA requires auditors to maintain their professional skepticism. Perhaps ISACA means be skeptical of audit directors?
Sometimes evidence received has no physical tie back to the system from which it (supposedly) came. Ask for all the accounts in the Oracle Financials database, and you get a hastily typed list. No screen shot from the system or printout of a SQL query. What happened to the system-generated list?
Auditors need to remember that they have to ask all the appropriate questions and that their auditees aren’t going to volunteer any information (at least not the smart auditees).
For example, one audit of a remote location’s servers noted that the LDAP directory used by the servers had system limitations that prevented enforcement of password complexity, password expiration, and lockout after 5 invalid attempts. The evidence consisted of a screenshot of the LDAP directory’s password configuration parameters (or lack thereof), but no evidence noting which of the 15 servers actually connected to the LDAP directory.
During validation of the test, I followed up and requested the Unix configuration file that pointed each server to the LDAP directory. I received only 8 files. When questioned, the control owner admitted that the other 7 servers used a local password policy, not the LDAP directory–a fact conveniently omitted, as those servers did not meet the password standard.
Facts aren’t facts until you verify them.
Related Post: More Snake Oil