What IT Auditors Ought to Know – and Don’t!

Here’s my list of IT/security basics that I think IT auditors to ought to know. If you can’t understand and audit these items, you do not know enough about technology to avoid having the wool pulled over your irises (not matter how good an auditor you are). The list is in no particular order.

Feb 2015 – I started adding some links to explain some of these items in response to a request by ziad (good idea). Some of the links are to more of my own posts, while others are to outside articles that contain good content. While I feel the links cover the material I’m referring to in this post, some of the linked articles contain information and suggestions that I don’t necessarily agree with. I’ll keep adding links, and maybe someday will add more of my own posts to supplement this material.

  • In Windows, the difference between network (Active Directory domain) accounts and local server and user accounts.
  • The difference between Windows local admin accounts and domain admin accounts.
  • How Active Directory groups and permissions control account access.
  • Difference between share permissions and folder permissions.
  • How the network, applications, and databases work together. First, that they are separate entities. Second, the basic functions that each performs.
  • How adding complexity and length to a password makes it more difficult to guess or crack.
  • How to map a drive, map a printer, and ping a network device by name AND by IP address.
  • While logged into* a Windows PC on a unfamiliar network, determine the device’s IP address, network mask, and gateway. Also determine the DHCP and DNS server the device is using.
  • The differences between databases, database instances, database tables, and database views.

Almost all the IT auditors I’ve worked with don’t know half of these. How do you fare?

  • How to type (no kidding!). How can you work in IT or audit or anywhere, on a computer all day, if you peck like a bird?
  • How to read system logs.
  • Fundamental differences between Windows and UNIX operating systems.
  • How to read Unix permissions.
  • How to perform a whack-whack server audit.
  • How to perform basic URL man-ip-ulation.
  • How to run simple scanners such as Netstumbler and Superscan (see Top 100 Network Security Tools).
  • How to configure wireless network cards and wireless routers for WPA security (at least).
  • How to map to a printer on a unfamiliar network without any help (anyone want to guess why I think this is so important? It’s not explicitly related to auditing or security, but is directly related).

What do you think about this list? What technical skill would you add or dispute? I didn’t even touch the soft skills!

For those of you who get audited, what irks you the most about what IT auditors don’t know?

* I realize auditors don’t normally log into devices they are auditing. Assume you’re sitting with the owner of the device and he’s logged in and you need to direct him to display these settings.

Of course there’s a LOT MORE to IT auditing than what’s on this list. I didn’t mention backup, disaster recovery, business continuity, and a host (pardon the pun) of other items. I’ve found the best IT auditors are former IT grunts; if you’re not a former grunt, I’d sure hope you have a good network of IT pros, IT auditors. and security analysts you can go to for a reality check once in a while (outside of the company you’re auditing). I know how much I depend on my network.

So what do you agree with, disagree with, and what would you add?

Do the IT auditors you know KNOW these things?

Leave a Comment

Check these out:

IIA Basics for Auditors

Audit and IT Audit for Dummies

Top 10 Reasons to be an IT Auditor

What Everybody Ought to Know About Auditor Secrets

IT Admin vs. IT Auditor

CISA vs. CIA Certification

FREE CISA Study Guide

32 Comments

Filed under Audit, Security

32 responses to “What IT Auditors Ought to Know – and Don’t!

  1. Great post since it highlights areas to study for auditors without IT backgrounds. Another one I’d recommend for the list is understanding the difference between a password policy (security policy document) and password policy (Windows security settings). A follow on to that is also understanding how a password policy is implemented in different windows domains (2003 and 2008 domains).

    Like

    • Good to hear from you again, Corey. I had to chuckle at your policy comment, so true. I’ve known auditors to pass audits passed on a written policy without checking the security settings themselves.

      I agree with your second comment that different versions very often have different implementations (tip to those junior auditors: that’s one reason why they upgrade the code). Heck, some of them don’t understand domains. Sometimes, 2 different versions are used so the CAN use different password policies.

      And to your addition to the list I would continue to add: understanding Unix password policies. As I tried to explain to one auditor, you can’t audit Windows and Unix the same, especially when you don’t know anything about Unix. Especially when you don’t really understand Windows. :)

      Like

  2. Chris

    I agree – the problem is that many people with formal IT degrees have not experienced working with this stuff, at least in AU.

    Like

  3. Chris,
    As far as I’ve heard, it’s a problem everywhere. For some reason in this particular profession, auditors think they can audit this stuff because they know audit. Yes, they can audit it, but is that the goal, getting an audit done? Or is it doing a knowledgeable audit that don’t pepper the subject matter expert (SME) with basic, irritating questions and adds more value than it costs in time, money, and SME frustration? SMEs should not train auditors!

    On the other hand, non-technical auditors don’t know the questions to ask, lack the ability to fully understand the answers (and how if X is true, that means Y!), and that SMEs are billowing smoke or don’t really understand the technology themselves.I have an upcoming post re: the second issue…

    Thanks for your input.

    Like

  4. Anil

    Mate,
    I am pretty sure that without knowing anything from the above you can still be a good IT Auditor. Fact is, you do not need to know internals of OS to check if the updates of applied from time to time. You do not need to know how to hack to audit networks for penetration testing results. When an auditor approaches such subject, identify the objective and get the evidence accordingly and that evidence needs to be in english to the auditor and not greek and latin. What has been discussed, in my view, is the role of an information security analyst. This is just my perception and not even my opinion.

    Like

  5. Finally, my thoughts have been put in writing :). Seriously, there is a lot of room for training IT Auditors because not all come from a ‘vanilla’ IT background (which includes formal “hands-on” Information Technology training).

    Like

    • Vashti,
      Unfortunately, IT does most of the training of auditors during an audit, and IT hates it. IT understands that they have to explain the specifics of each technology, but they expect us to know the basics.

      Personally, I think the best training comes from working in IT first, which was my experience. But I’m biased, of course. Thanks for your input.

      Like

  6. Anil,
    You’re correct – you don’t need to know any of this stuff to do an IT audit. But I’ve worked with auditors like this, and the results are ugly. They take what IT tells them and write it down and check the PASS! box and have no clue what they did. I come behind them and find all sorts of things they missed and didn’t question because they didn’t know any better.

    I have to admit that you don’t have to know much of this stuff to pass the CISA, but that’s my beef with the CISA (see my earlier posts regarding the exam and my experiences).

    Sure, you can see if service pack 4a has been applied or whether switches are used instead of hubs, but you won’t be able to add any value beyond that. Just like I can check whether a manager signed and date the bank reconcilations in a financial audit, but I am unlikely to spot signs of fraud.

    I still maintain that you won’t be a GOOD IT auditor because you won’t understand what you’re auditing (that’s an ISACA and IIA requirement!), you won’t be able to suggest improvements in efficiency because you won’t understand the technology, and you won’t be able to spot an IT person who doesn’t really know what he’s doing either.

    Just because you receive evidence in English doesn’t mean you understand the concepts and how it all fits together (or doesn’t!). You can’t effectively audit an IT system by isolating each element and judging it on it’s own (which is the best you can do if you don’t understand the technology or the strengths/weaknesses of it); you need to view all the evidence as a whole and see if the parts agree with the whole, and whether 2 parts put together actually create a vulnerability.

    I do appreciate your input, Anil. I just disagree with it. Are you an IT auditor yourself? How many of the basics above (as I defined them) do you understand? Just curious where you’re coming from…

    Like

  7. Dinesh Babu

    New to field of IT audit
    I have substantial work experience in Programming and IT operations before plunging into IT audit. I am working as internal IT auditor for the past 6 months, auditing Oracle DB hosted on Solaris server. I must say that I have to read the complete security documentation of solaris and Oracle DB before recommending problems/improvements in audit report.

    A real world scenario I faced – Tasked with not only check whether Patches are applied or not – because in real world, DBAs complain that getting downtime is difficult. So, I check whether alternative measures are taken by DBAs to secure against known vulnerabilities. In order to understand the alternative measure – I must understand the technology at grass root level.

    The problem I am facing is I have to learn almost all the technology from security admin point of view. Although my background education in IT and IT work experience supports, the task is gargantuan.

    Senior auditors please suggest me – Is this the right way to do in IT audit or I am doing something unnecessary.

    Like

    • Hi Dinesh and welcome to the blog and the wonderful world of IT audit.
      A couple thoughts off the top of my head:
      1. Ask why downtime is difficult. Because DBAs don’t want to work the off-hours required to patch? Because 24-hour access is REALLY needed around the world per the business owners? Because batch jobs and backups take so long to run? Depending on the answer, you might have further questions.

      For example, if batch jobs and backups take too long to run, that’s a risk in itself that needs to be highlighted. What if something fails? How much time would it take to rerun all the failed jobs and catch the business up? Even databases have to be upgraded. When was the last time that happened and when it is scheduled in the future, as patches can be applied then.

      2. Auditors are not required to “understand the technology at the grass root level”. You need to understand the technology enough to determine whether the alternative controls appear reasonable. The DBAs need to take the time to explain that, especially if they know your background, which gives you an edge over the typical IT auditor. If they can’t or won’t explain it, you need to determine why, and that might be a finding in itself. IMHO, the DBAs have to defend their practices, so to speak. That includes explaining why they are adequate.

      3. Most tech stuff isn’t written for auditors. Can’t help you there. I think to be a good IT auditor, you have to have a love of learning and the ability to grasp really technical stuff at a high level. It sounds like you’re OK there.

      4. I suggest you go back to the DBAs with some of the questions I’ve posed above and then take it all back to your manager (who is required to give ‘audit supervision’) and get his input. You might also touch base with the DBA’s manager and the business owner of the data running on the server to get their perspective and whether they are comfortable with the “no downtime, no patch” situation.

      5. Sometimes, it comes down to how much you can get done in a certain time frame. Perhaps you can go deeper in each audit cycle, depending on the risk involved. I should have mentioned this first: what is the criticality of these databases to the business and what’s the risk? How bad could things go wrong, how would it affect the business, and how long would it take to recover? That will determine how deep you dive.

      I sure hope everyone else chimes in with their thoughts. I’m sure I’ll think of other stuff later.
      Best wishes, and let us know what you think, what you do, and how it turns out.

      Like

  8. Dinesh Babu

    Thanks a million for the detailed answers about IT audit. The post has given me a better light on what audit is and is not.

    As of now, the audit is over, I would use this approach for next audit. I should have validated what DBAs are telling by cross checking with business, but I just believed them.Criticality wise – they are mission critical databases. Even half hour downtime would have high impact on month end.

    I would definitely post questions on this site on pressing real world audit issues I face in future audit.

    Like

    • Dinesh,
      Thanks for the followup. Auditees do tell you things to make you go away. Not often, but it happens. I was surprised we didn’t see more comments on this. I’ll look forward to your future comments.

      Like

  9. Dinesh Babu

    I attended a big 4 audit interview during which a question was asked, that I never done before. Thought of sharing with forum members.

    “As an IT auditor, After SAP implementation, How do you conduct Post-Implementation review with minimal impact to client?”
    Initially, I was wondering why an auditor would conduct a post implementation review, while user/business department would conduct the review to check whether the output the system satisfies with what was initially drawn in requirement specification (i.e satisfies the problem of why the system was implemented).
    To my understanding the deviations would be noted and followed to closure and such review are conducted periodically (3-6-9 months) as per policy.

    Please let me know your comments/corrections/improvements.

    Like

    • Dinesh,
      In my thinking, a post-implementation review is also about what about the process was successful and what could be done better. Regardless, one way to minimize client impact is to obtain and review the status reports and/or gate reviews issued throughout the project, as well as any meeting minutes or announcement/status emails issued after the project was completed.

      I’d also check the client’s site on the company Intranet, as that might provide additional information, such as training material.

      If the client was other than IT, I would talk to the key IT people involved in the project for insight and ask about feedback they received during and after the project.

      I can’t say I would have thought about all this immediately during an interview. It’s a great question. What did you say?

      Once this information is obtained and reviewed, you could better target your questions to reduce the amount of client time involved.

      Like

  10. Pingback: Master List of CISA Articles | ITauditSecurity

  11. Pingback: Ask a Question | ITauditSecurity

  12. ziad

    So why not post an article listing the resources using which one can know what an auditor need to know as per your post

    Like

  13. devalv

    Does IT Governance come into picture during post-implementation review? Please advise the significants’

    Like

    • devalv,
      Not sure what you are asking. A project’s post-implementation review, in my opinion, would not usually cover IT governance as a whole, but only as it relates to that particular project. In other words, did the project follow the project life cycle process, which usually includes governance items like business requirements, signoffs, gate reviews, testing, documentation, etc.

      I would note whether any of those items were missing and why, especially when the governance process requires them.

      When you find governance issues on a project, you would then try to determine whether it is due to poor project leadership, management override, or a faulty governance process.

      Does that help?

      Like

      • devalv

        Yes, because I actually read in a guide that : Assess whether system meets business requirements, has appropriate access controls, ROI achieved, lessons learned . I understand now that : Intervention to stop, modify, or fix practices as they occur

        Like

  14. devalv

    Hi ITSecurityAudit,

    How similiar is CISA to CISSP in terms of the examination. All I know is CISA will start on a fixed date and is 4 hours. While CISSP can start anytime and take it. Do people who study for CISA has a higher chance in passing CISSP and vice versa? I understand that CISSP is focus more on the Tools and Technique.

    Like

    • devalv,
      If you haven’t read all most posts about the CISA and CISSP, search those terms as I cover both exams a bit.

      I believe the pass rate is much lower on the CISSP., as it is more technical than the CISA (but the CISSP appears to be less technical than it used to be–see most post about that).

      The CISA covers audit theory and practices and some IT practices. The CISSP covers a much broader range of topics, and much more IT material. The CISSP is much harder.

      The CISA is an audit exam; the CISSP is a security exam. Passing one with help you with the other, but I would not depend on one to pass the other. Even if you pass one, you still need to study for the other.

      CISSP is not tools and techniques. It’s about risk, IT, and security processes and practices. Both exams are vendor neutral and are not about tools or software.

      Tools and techniques would be the Certified Ethical Hacker exam.

      Like

  15. devalv

    Hi IT Security Audit,

    I still find IT governance one of the hardest topic to understand. For example, what is the difference between cooperate and IT governance. The process of BCP, what comes first,what comes next, what comes before.Risk Assessment, BIA, then DRP. Why is cost-benefit analysis part of BIA. Does Post-implementation comes into the pictures?

    I also know that ISACA like to trick us between IT Strategy and IT Steering commitee, both are doing monitoring. I also like that ISACA like to mix up between IT and Business which one should be aligned with which.

    What is the most common difficulty when student study IT Governance topic?

    Like

    • devalv

      See, one of the options given is :
      the business strategy is derived from an IT strategy for questions like
      Effective IT governance requires organizational structures and processes to ensure that:

      Like

    • devalv,
      When it comes to governance, the key is that senior management is always ultimately responsible, even over the business, as senior management is supposed to MANAGE the business and their leaders.

      Don’t understand your question, diff between cooperate and IT gov. You mean corporate? IT gov ensures that the resources of IT are managed effectively to further the objectives of the business.

      You need to know your business objectives first (what is the business trying to do?), then you need to know your risks (risk assessment) so that you can do your business impact analysis (BIA). If you don’t know those 3, you can do an effective analysis to ensure your BCP is on the right track.

      Not sure how post-implementation fits in, other than ensuring your BCP covers the business objectives, risks, and impacts that were identified. Also, you need to update the plan continuouslyt as the business, risks, and impacts change, as well as test your BCP frequently.

      Most businesses don’t do a good job of this….in all the fortune 500 companies I’ve worked in, I’ve never seen an effective plan OR testing. It is so expensive and hard to get right.

      Cost benefit analysis looks at whether the cost of the various BCP pieces you need to put in place (identified during BIA) are more expensive than the disaster itself. Sometimes, it is more cost effective to fix things when AND IF they happen instead of buying the hardware, services, and support to recover.

      The problem is that all companies underestimate how hard it is to recover from a disaster EVEN WHEN ALL KEY PEOPLE ARE AVAILABLE. Key people most likely won’t be available (killed in disaster or too busy taking care of their family hurt by the same disaster, etc.) and unanticipated problems means it will take MORE time and money than estimated.

      To see the truth of this. all you have to do is do a simple test of 1 or 2 key systems. Or talk to others who participate in BCP tests regularly. I’ve never been part of a successful exercise of a plan. That’s sad.

      IT needs to respond to the business, not the other way around. IT is becoming the business. Too many nerds still don’t get that.

      Hope this helps. Cheers. Mack

      Like

  16. devalv

    For example: An IS auditor is evaluating a newly developed IT policy for an organization. Which of the following factors would the IS auditor consider MOST important to facilitate compliance with the policy upon its implementation, it says that : The organization should be able to comply with a policy when it is implemented. The most important consideration when evaluating the new policy should be the existing mechanisms in place that enable the organization and its employees to comply with the policy. – isn’t this post implementation?

    Like

    • devalv,
      What I think this means is that if the policy prevents the business from operating (selling, services, etc.), then that is more impactful than any risk the business faces (hacking, disaster, etc.). Post implementation is about checking whether the process that was implemented as the process that was planned, tested, and approved by management. Also, does it enable the business objective that the project was focused on?

      Also, the business must have a way to check compliance with the policy. If they don’t, the policy isn’t an effective one.

      Like

  17. devalv

    Which of the following tasks should be performed FIRST when preparing a disaster recovery plan (DRP)? – The first step in any disaster recovery plan (DRP) is to perform a BIA.- don’t understand? – I thought BCP comes first?

    Like

    • devalv,
      I attempted to answer this above….

      Keep in mind that BCP and DRP are different. One could argue that DRP is part of BCP. BCP focuses more on keeping the business running during a disaster (maybe revert to paper forms and snail mail versus online forms and email). If a business line cannot run at all without their online systems, then DRP is used to get those systems back online.

      Like

  18. Jen

    Hi

    I was wondering if it was worth my time to look at becoming an IT auditor, I have a Financial auditing background. I also have some IT background, did Info system studies in High school and some IT electives at University. Of the list above I understand about 98% of it. I actually can also map directories and printers.

    As for your example above about auditors passing password tests without knowing to check the IT system. I think they were just bad auditors in general, not just because they didn’t understand IT systems. The basics of auditing require you to understand that just because it’s a written policy or procedure doesn’t mean that’s what the client’s employees actually do.

    I had a client state over and over again that the cash registers do not allow employee to give discounts without manager approve (in the form of a manual key being turned on the register), went a looked at a register the key lock was permanently turn on allowing the staff to do as they pleased. Reported it to the client who stated “The staff known not to do without permission”. On the last day purchased something from the shop and the shop assistant offered me a discount.

    I have also worked with IT auditors who had no basic knowledge of how use excel to manipulate data or use basic pivoit tables, Match, Vlookup queries. And didn’t even realise Excel could do those things.

    Like

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s