Auditors use the following secrets and tricks to ensure that control owners can’t run and hide. If you do audits of any type and don’t use these tricks, you might want to consider adding them to your toolbox. If you are the one getting audited, beware!
Here’s some of my favorite sneaky tricks:
- Search your company intranet and the Internet for the name of your auditee and subject matter experts (SMEs) and learn all you can about their habits, personal preferences, and hobbies. For example, I always look for a LinkedIn page. And I love sites like www.truthfinder.com. If you find that a control owner or SME enjoys gambling, skydiving, or blind skiing, do you really think they don’t take risks at work too? Even if you don’t find anything that give you pause, you’ll have some good introductory subjects to set your client at ease and develop some rapport.
- Search your company intranet and shared drives for documentation and smoking guns. Don’t forget those interesting company blogs and wikis and all those Sharepoint sites. I once found a departmental website where a control owner stored all his quarterly user access reviews. Well, the ones he did once last year and last quarter when he heard an audit was coming. I went into the audit already knowing he was missing 3 quarterly reviews last year and 1 review this year. Heh heh.
- Do a whack-whack server audit. I’m so surprised that most IT auditors I encounter don’t know about this! During my last audit, a WWSA revealed that I could access (along with all users in the company, including contractors and temporary help) all the install documentation for a financial application, the EXE needed to install the application on my desktop, and even the ODBC instructions for connecting to the database!
A whack-whack server audit (WWSA) is simply typing the following into the Start, Run box on a Windows PC: \\servername
(“whack-whack” is slang for the 2 forward slashes: \\)
This allows you to see what shares are open on the server for further browsing. In some companies, this can get you in trouble, so check with your manager or get a GOOJ card.
- Ask a few questions at the beginning of the audit you already know the answer to so that you can gauge truthfulness and expertise. Ask a mix of detailed questions and open-ended questions. When you’re dealing with multiple SMEs, talk to each one separately and ask all of them some of the same questions and compare the answers. When they give different answers, play them against each other. In other words, tell Simone how Bob’s answer was different, and ask her why she thinks Bob said that.
- Causally ask SMEs what they know about the next area/application/system you’ll be auditing. Occasionally you’ll learn some interesting tidbits, especially when the audit is more general in nature (help desk, network security, email system, data center operations, etc.). Again, this works best when you ask early on, before they get too concerned about the problems you’re finding in their own area.
- Do a wastebasket audit for each SME at the beginning of the audit and the day a SME is notified of a major finding. For more info, see Why a Wastebasket Audit? Again, you might want to talk to your manager or get a GOOJ card.
Some of you are going to accuse me of being underhanded and sneaky. Go ahead, but while these secret tricks seem nasty, they really aren’t. They’re more crafty than nasty. Nasty is when a control owner is careless about key controls or tries to cover his guilty carcass.
Obviously, you don’t tell people that you’re doing these things. Besides, the only one that may get you into any trouble is the wastebasket audit, because, believe or not, people consider their trash personal (ponder the irony of that for a moment). But if their trash was so confidential, why did they throw it away? Why didn’t they shred it? If anyone gets upset, you can always mention that the audit charter gives auditors access to all records, current and discarded.
If you disagree, I can’t wait to hear from you. Let ‘er rip!
ITauditSecurity 
Who said IT auditor a boring job? :)
One question, After “Google auditee and SME names and learn all you can about their habits, personal preferences, and hobbies.” you find the auditee has no on-line presence at all, what will come into your mind? Will you feel suspicious about something?
LikeLike
TT,
Good question. Usually if a person has some level of expertise and years of experience, they will have some online presence, but not all.
If you don’t find anything, you go blind. I don’t consider it suspicious as many people value their privacy.
The other thing you can do is ask others in the workplace that you know about them, people that won’t tell the SME you inquired.
One item I need to add: search your intranet. If someone has been around, you’ll often find some info that way.
The point isn’t to find dirt necessarily, but to learn what you can, and if you find something, use it to your advantage.
LikeLike
Pingback: Quotes of the Weak (NOT) | ITauditSecurity
Pingback: New IT Auditors Should Start Here | ITauditSecurity
Pingback: New IT Auditor (and WannaBEs) Master List | ITauditSecurity
this is very informative and rewarding.
LikeLiked by 1 person
Pingback: Couple of Favorite Posts | ITauditSecurity