I recently stumbled across an article discussing how to choose an outside IT auditor by Kevin Beaver that stated, “With a few exceptions, auditors aren’t highly technical”–and may not need to know the difference between firewalls and fire hydrants.
If you know me, you know non-technicality of many IT auditors really bangs my keyboard (see the CISA posts listed below). An IT auditor who doesn’t have technical knowledge about IT is like a person who washes dishes without water.
Is it not obvious that an Information Technology auditor should understand technology? By the way, I bypass the term “IS auditor”, and use “IT auditor”. Auditors should not only audit systems, but also technology, as both can have vulnerabilities and inefficiencies. In addition, having a technical title can mean higher pay.
Also, the “CISA” really should be the “CITA”, not only for the Technology reason, but “sisa” (as CISA is pronounced) sounds kind of wussy. At least “sita” has a hard consonant in it, and we could rhyme it with “pita”. Sure sounds more palatable, but I digress.
Beaver says, “I know some great IT auditors who can’t explain the difference between a firewall and a fire hydrant.” I guess the biggest difference is that dogs cannot physically access firewalls because they are in secured data centers.
So maybe Beaver’s statement that it’s OK for IT auditors to be non-technical nerds (which was written in 2004) led to today’ predicament. And if outside or external IT auditors can be technically illiterate, so can internal IT auditors. Thinking that way makes sense of another of the article’s points: Don’t assume a brand name (Big 4) IT auditor is always better. I agree; they are just more snooty and expensive.
Then the Beav goes on to say: “The CISA is an internationally recognized certification, which compares to the CISSP certification for information security. ” Yes, the CISA is as international as the CISSP, and these 2 are the defacto certs in the IT auditing and security fields. But the 2 certs are not comparable in content, coverage, nor respect–I have both of the certs, and because the CISSP is much more respected, it has made more difference in my career (opened more doors, but not specifically increased my salary).
To compare the two certs is to compare, as Mark Twain would say, the lightning bug and lightning. The CISA is no where near the CISSP in technical breadth. Maybe that’s why the CISSP consists of 5 letters and CISA has only 4. Heck, “Kissing for Dummies” is more technical than the CISA exam.
While Beaver and I agree that most IT auditors are not technical, unlike Beaver, I don’t think that’s OK; I think it’s a shame. I don’t understand why ISACA doesn’t beef up their exam requirements (it wouldn’t make as much money as fewer could pass the exam?).
I guess IT isn’t complaining; more technical auditors would just mean more risk and control failures would be identified, which would result in more work for everybody. Hey, that might be a solution to the job shortage!
My Rants or Musings about Certs:
What IT Auditors Ought to Know – and Don’t!
Top 7 Reasons for Security Certification
Security Certs for Commoners? Nope
How to Pass Certification Exams
5 responses to “Firewalls vs. Fire Hydrants”
Actually making the exam harder should make them more money, as more people would have to retake the exam.
Good point. And furthermore, if the exam were harder and not as many people passed it, it would be more valuable and respected, so more would take it and fail, more money would pour in, and the cycle would begain anew!
I wanted to comment on your blog “What IT Auditors Ought to Know – and Don’t!” but the page isnt working now.
Anyways my question is applicable here to0.
Let me ask you a question with some background
I have started my career as an IT auditor in a firm, at that point I had CCNA certification and was going towards CCNP but in 6 months I realized that knowledge that I gained from CCNA was sufficient because we are not troubleshooting or implementing anything. After that I realized I was lacking basics in Operating System and Database. I started planning for MCSE, then people told me that only windows expertise will not do the trick, I must have Unix/Linux knowledge as well. Then came the DB part; Oracle, Solaris and SQL server. I was already confused and then I was told that I must get CISA otherwise I wont be promoted. Financial auditors demanded that we must also know general business processes related to supply chain, banking and insurance etc.
I havent thrown the ERP expertise part (ok, now I have)
Please explain to me how do we get such huge and difersified knowledge base?
Its difficult for people like us who have started the career from auditing as compare to being in operations first and moving towards auditing.
Hi Confused, you ask some great questions.
The good news is that good IT auditors are in demand and that poor IT auditors are also in demand.
I’d get your CISA as soon as possible….my next post, which should be published on Monday, addresses this, so check that out.
Previously, IT auditors grew up in IT. Like me, they started on the help desk or doing break/fix (installing PCs, fixing problems, loading software), became server admins, then network admins. You took lots of classes paid for by the company as you went along, or learned it from playing at home and reading books.
Today, auditors get information systems degrees in college, have an auditing class or 2, and hit the ground not understanding auditing nor IT. Some still come over from IT, but don’t know auditing.
The best IT auditors understand auditing, and I’m assuming you have that down. If not, the CISA will help.
While the MCSE will help, it’s overkill for what an IT auditor needs to know. So how do you learn what you need to know?
Last year I did my first virtualization audit around VMware. I played with VMware Workstation years ago when it came out, but that wasn’t enough to audit VMware, especially the ESXi platform (VMware’s latest)..
So I did a lot of Googling and reading. I talked to friends who ran ESXi at other companies. I devoured VMware’s website and other sites and blogs devoted to virtualization. I downloaded virtualization work plans from ISACA, NIST, and a host of other organizations, and read many powerpoints that security people that I respect developed. I convinced my employer to send me to a 3-day “Audit VMware” class.
I realize not everyone can attend a class, which really helped. But all the reading I did before the class helped me ask really intelligent questions in class that applied to my company. While the class helped piece some things together, most of what I learned came from reading, and everyone has that option. I’ve found good blogs on every subject I’ve ever audited.
Yes, I did some learning on my own time, but most on company time. If you company won’t send you to a class or give you the time to learn the material, they are violating IIA standards, as you should have a reasonable grasp of what you’re auditing. You might bring that up in a respectful way to your manager.
I also learned a lot from my main IT guy who leads the VMware team in my company. He quickly realized I understood the basics, which saved us both time, and gave me instant credibility. And I was able to teach him a few things too, even though I’m no VMware expert.
That’s another reason to get a certification like the CISA: you have to get CPEs to keep it, and the company is more likely to send you to those classes you need anyway. Talk to your manager so you know what audits are ahead and tell him that you’d like to develop a plan for educating yourself on what you’ll need to do them. He’ll probably be impressed.
Also, you learn as you do audits. Keep a cheatsheet of all the info you learn as you do audits, and read through it at least once a year.
Finally, you CAN download ESXi for free! As you can all Windows operating systems, some database software–much of the main systems you audit are available for trial use or limited use. And especially UNIX. All you need is a decent extra PC at home and some time. Great UNIX tutorials abound on the Internet.
It will not only make you stand out from the crowd, it will pay you back in the future in $.
I hope this helps. I’m happy to continue the conversation…
Pingback: Quotes of the Weak (NOT) | ITauditSecurity