Audit and IT Audit for Dummies

Here’s some links for Audit and IT Audit for dummies, one from the IIA, the other from ISACA. Most of them do not require being a member or logging in.

While these articles are not extensive, they will point new auditors in the right direction, and provide a refresher for the rest of us.I covered the general basics for all auditors in this post.

For IT auditors, an advanced Google search of for the phrase “IT auditor should know about” provides a series of articles by Tommie W. Singleton such as:

What Every IT Auditor Should Know About Auditing Social Media

What Every IT Auditor Should Know About Access Controls

See also ISACA audit programs for financial auditors, and ISACA IT Audit Programs (both require membership to log in).

Here’s a shout out to madzutopia who left me a comment about audit basics, and got me thinking about a post like this. I hope this helps.



Filed under Audit, How to...

36 responses to “Audit and IT Audit for Dummies

  1. Audit Monkey

    This is what I love about the professional institutes, telling it’s members the obvious.


    • My dear sarcastic Monkey,
      These things are not obvious to all. Were they always obvious to you? Keep in mind that not everyone comes to auditing from an auditing background. I didn’t. I came out of IT and security.

      Obvious or not, I’m getting at least 20 hits per day on this topic, so people are interested in it. Have a good day anyway!


  2. Audit Monkey

    But the ‘Back to Basics’ suggests a retrospective review. And yes, for the record, I’m not interested!


  3. Audit Monkey

    OK! But seriously, I’m after technical detail, not how to audit.


  4. Will

    Just a heads up, the hyperlink to the IIA’s Back to Basics article “Plan a Successful Audit” leads to their “Gather Information from Clients” article instead.

    As an internal auditor with a long time interest in IT and security, I enjoy reading your blog, it’s interesting. Plus the ACL training links you posted were useful, so thanks.


    • Hey Will,
      Thanks for the correction. I check my links before I publish, but I notice some still get by. I rarely get comments about brain leaks like this, and I wish I received more. Thanks for taking the time to comment and for the encouragement. Few readers do it.

      The few that do are treasured…

      More ACL to come….Skyyler is working on how to create a script to import files into ACL. It’s almost done, so maybe next week. If anyone has specific ACL stuff they’d like Skyyler to dive into, let us know.


      • Will

        I think the hyperlinks must have been merged or something, now they’re both pointing to “Plan a Successful Audit.”

        Excellent on the ACL content, that should be interesting. Scripting in ACL is something I haven’t messed with much, but I’d like to get into it.


        • Will,
          Thanks again. They were merged together. I must have had them on the same line and then separated them. Frustrating. But fixed.

          As for scripting, much of it is so easy. Some of it is complicated, and ACL doesn’t do a good job of explaining scripting options/commands, in my opinion. But it can be done, and it can be loads of fun and save a ton of time.

          If you have the desire and can logically step through commands, you can master scripting, Will. Follow Skyyler’s next post and you’ll find how easy some scripting can be. We’ll be looking for your input after you tried it.

          I’ve seen Skyyler’s rough draft of his next post and it’s good. Maybe someday Skyyler will write some post on scripting basics. The basics ARE really easy and simple scripts are not hard to master.

          Skyyler has shown me stuff that I haven’t found documented anywhere. We just have to get it out of Skyyler’s skull.


  5. One thing I”d add to Effective Kickoff Meetings….Ask attendees whether any of the key contacts have any upcoming vacations, IT code freezes, special projects, pregnancies, and what-not that may make getting all the data, discussing findings, and completing other audit tasks hard to accomplish with the proposed schedule. That will often save you a lot of grief down the road and hassle getting the audit rescheduled.


  6. shobhana

    I have done B.TECH in IT and having 2.5 years of experience in ACL. I am interested in CISA certification but the fact is i donn’t have any idea about it and i have no study materials for it. Please help my.


  7. anubhav

    what is ACL? can u give me some guidance for CISA? I m a banker with no IT background….


  8. Clueless is the keyword

    I really appreciate the amount of time and thought you put into your blogs.

    I do understand you are not a career counsellor, but your honest replies to all the queries put forward to you in the comments section, pushed me to give it a try.

    I’m a Business Undergrad currently working as a salesman (not a happy one) looking for an alternative field of work.

    Our group internal auditor suggested I should check out auditing or IT auditing and a google search of IT audit brought me here and since then I have been frequenting your blogs and doing my research.

    Given my backround, do you suggest Audit or IT audit as an option.
    If yes, then what do you think my first course of action should be. Especially to start building a strong foundation.

    Cheers and Thanks a lot


    • Clueless,
      Thanks for the kind words. I have become a career counselor….:)

      You’re the first one who has said he actually talked to an auditor. That’s a great start. I would think that person’s opinion would be better than mine, so talk to that person some more as he knows you a bit better (perhaps) and certainly understands the employment market you’re in. But I’ll still give my opinion….

      With such little info, I’d suggest audit, not IT audit, based solely on your business background. I wouldn’t go into IT audit unless you are the type of person who loves new technology and learns it easily. If you already need to learn auditing, why add another layer of learning (IT)?

      Also, if you’re not a detail person, auditing is probably not for you. Auditing is checking all the details and can be very tedious at times.

      The best auditors love details and love learning.

      See if you can shadow an auditor for a day or two and see what they do. Listen to an auditor explain in detail the joys and trials of the last audit. If you lose interest, that’s your answer. I wish you the best—Mack.


      • Clueless is the keyword

        Thanks a lot Mack, really grateful to your immediate reply.

        I did not go on to write an essay seeking career options in my first comment as I was not sure if this was the right place, but now that you have acknowledged being a career counsellor, I think I can disturb you a little (if you don’t mind) ;)

        I did seek and still seeking our Auditors opinion, but just wanted some first hand IT Auditor suggestions. Given your friendly nature and very welcoming ambience of this blog, I didn’t have to look further.

        Actually one of the reasons I talked to our internal auditor was being an investigative curious cat myself, I was fascinated by what they do (i;e going over all the tiny details, looking for irregularities, keeping everything organised, making sure everything is in line).

        Given my work commitments I hardly get any time to lurk around auditors and hence relying heavily on internet. But I will definitely try shadowing our Auditor, that’ll perhaps give me some practical know how about the field.

        With respect to IT Audit, I’m a tech savvy person (I haven’t achieved Level: TECH GEEK yet). But I haven’t taken any professional course or certifications for the same.

        I did read one of your blogs about CISA where you mentioned CISA was more about auditing than IT.
        Given my background I was wondering if I should concentrate on Audit at first and then shift to IT or start both together at the same time.

        Finally, one of the most important reasons I’m considering changing fields is because I’m willing to, or should I say I want to put in that extra effort to learn something new. Also the fact that I just turned 23 and got a long way to go, I thought it would be better if I switch early.

        Thanks a ton Mack.

        P.S: Sincere apologies for the long post.


  9. Clueless is the keyword

    Most importantly, despite my business background, I have very little accounting knowledge. But I have already started informal accounting studies via books and the internet.


    • Clueless,
      No apologies required.

      Not all general auditors know accounting, and most are not CPAs. Most of the auditing I’ve seen in several Fortune 500 companies does not involve heavy financial knowledge. It seems that a lot of it is checking that balances match, authority limits are not exceeded, and paperwork is in order, etc. In other words, any auditor could do some of it, as any auditor can do parts of IT audits [Any general auditors want to take issue with these statements? Audit Monkey, are you going to bite? Bring it on.. :) ….]

      Some audits, of course, neither of us would be able to do, as they require deep financial understanding of finance and fraud.

      So with your business background, you might do just fine in general auditing.

      The key is to find someone who needs an entry-level auditor who is willing to learn. The Big 4 take a lot of people with little experience, but I do not recommend that route as it is a hard road unless you are desperate.

      As I have complained on this blog, a large percentage of IT auditors don’t understand IT or technology. You certainly would be better than some IT auditors I’ve seen. I see unskilled IT auditors all the time.

      If you have an opportunity to get into either general audit or IT audit, choose the job based on whether you are more comfortable with accounting or IT. If you only get one option, take whatever comes up.

      Is the auditor you’ve talked to a general auditor or IT? Make sure you talk to at least 1 of each type of auditor and get their input.

      When you say “start both at the same time”, do you mean studying? Either way, I’d start with one or the other, not both. The most important thing to learn first is how to audit. Then with each audit, you learn more of the specifics, whether it’s accounting or technology.

      Auditors have great jobs as they are paid to constantly learn more and more; the only issue is that you have to master it quick enough to ask your company experts intelligent questions while at the same time determine when they are leading you astray.

      Finally, yes, now is the time to switch. I’m getting ready to change careers for the 5th time. Each has been a natural progression from the previous one, but I waited too long between career 1 and 2; I should have moved much earlier.

      You don’t sound very clueless to me. Let me know if I can be of any more help.


      • I couldn’t thank you enough Mack.

        You definitely hit the nail on the head regarding joining the big 4, I was actually thinking along the same line.

        Once again thanks a ton Mack, I’ll definitely keep in mind everything you have said before I make the switch.

        Here’s hoping for both of us to make our switch as early as possible.
        May be I’ll become an IT Auditor someday and help you out with your IT Audit Blogs.

        Till then, an active reader and keep them blogs coming. Cheers!


  10. archi

    Hello ..
    Its so nice to find someone giving great career advise selflessly..very well done there !
    I m hoping you would be able to guide me as well.
    I m an enginner with 6+ yrs of work mostly in software devlopement, I stopped working 3 yrs back after having a baby and now am looking to get back to work. I want to change career from software devlopment to Information security..I have done my CISMP last month am hoping to get a break in entry level information security job. But I donot find any entry level jobs for Information security advertised for London and am wondering how to get a break. Also I am thinking of going in the audit route and considering doing a CISA…will that help me get a break ? My worry is without a job I will not be able to get a certificate even if I clear the exam..Please guide what to do…
    I am a bit clueless as I am being advised by my well wishers to go back to a field where I have experience since I am not getting a break but I am keen in getting in Information security.


    • archi,
      I am not familiar with the CISMP other than what I just read, but you will not be able to get the CISA cert without some applicable experience. You may be able to use some of your software dev experience for the CISA experience if you work on some compliance, privacy, or security projects. Even so, passing the CISA exam won’t hurt you, and it is not expensive.

      I don’t know the London market, but I’m assuming you have talked to everyone you know in the security field and audit field for help and ideas. How about any managers where you used to work?

      Have you contacted ISC2 (issues the CISSP) for help, as well as ISACA and IIA? You might have a local chapter in London and someone there might be able to give you some ideas.

      You could think about getting a help desk job, but that would be a long road into security.

      I think you might go back to software dev. Wherever you get a job, talk to the managers in the areas you’re interested in moving to, and let them know your interest. In the meantime, you will be meeting new people and gaining good contacts.

      You could also do volunteer work for a charity or small business to gain more experience and contacts. Often, the people you meet volunteering can really help you get where you want to go.

      Either way, it may take a couple years to get there, but at least if you’re working in software dev, at least it will pay the bills and keep your skills sharp.

      Sorry I can’t be any more help. Wish you the best. Mack


      • archi

        Thank you for your advise Mack…Its very nice of you to write back..The local London Chapter is something I would like to check and see if that helps…and if thats doesnt work I will think of all the other advises as well..Thanks again.


  11. amiegj

    Hi Mack – thanks for this post and others on your blog. Your meaningful feedback to readers is helpful. Letting you know the link in this post to ISACA’s access controls is broken. Is this the intended article?


  12. Dear,
    I am banker with it background planning for CISA please guide me in right books and links

    Thanking you wait for your reply


    • vbabji,
      If you don’t like the links in the above post, go to the top right of this page, and under Quick Links, click CISA. That will give you a list of all the CISA posts I’ve written. Plenty there. Good luck.


  13. axe

    Hi Mack,
    Firstly thank you for this blog and your insights of the cisa exam(free cisa
    guide). I planned to make a switch into IT audit field in 2015 and simple
    google search led me to your blog comparing cisa and cia certification.

    Reading that article made me think about my future in IT auditing and without wasting any time i registered and cleared the cisa 2015 exam.(yes i did feel the exam was more about audit than IT)

    I have a bachelors degree in computer science then i went ahead and did itil
    foundation cert(exin) and cisco ccna r&s after writing the cisa exam.But my
    work experience is just 4 months in system management and routing.I have tried to get into the entry level positions at the big 4 but nothing worked out there.

    now i am wondering if i should join a university for masters degree in
    information technology with information assurance or just keep looking for job opportunities.

    do i really need a masters degree in IT for auditing?


    • Axe,
      No, you don’t need a master’s degree. I don’t have one, and neither do most IT auditors.

      You have a great background; not sure why you haven’t found anything given the demand.

      I’d suggest you talk to auditors at your company and companies where your friends work for local advice.

      Glad you enjoy the blog. Thanks for your kind words. Wish you the best. Mack


      • axe

        Thanks for the advice, i actually did have a talk with my companies internal auditor.I think something might work there,btw i really liked your behind locked door series that was a good read.

        is there any other certs i should consider apart from cissp(later on) since i don’t have experience.


        • axe,
          What you do after CISA and CISSP depends on what you’re interested in. You might want to audit for a year or two and ask yourself that question again.

          Another thing I would do right away is learn as much as you can about analyzing data in Excel. You can do a lot in Excel, more than the average auditor realizes. I have a series of posts about that, but it’s elementary stuff, and auditors today need to go way beyond that. But I’ve found many auditors don’t know those basics.

          Right now I’m gearing up to use some of the Excel add-ins that expand Excel’s capabilities. If you have a 64-bit system and 64-bit office and LOTS of RAM, you can analyze up to 15 million rows in Excel.

          You could also consider learning how to use ACL (lots of posts about that on my blog) or IDEA, which are typical analytic programs used by auditors (but by not enough auditors).

          I know there’s a lot of hype about data analytics everywhere, but lots of auditors still don’t do it. In another 3 years, those auditors will be left behind. More and more departments are doing their own business intelligence and analytics and audit is about to be left behind. Guess I better write a post about that….



  14. Pingback: What IT Auditors Ought to Know – and Don’t! | ITauditSecurity

  15. Pingback: New IT Auditors Should Start Here | ITauditSecurity

  16. Pingback: Use LinkedIn to get an IT Audit job | ITauditSecurity

  17. Pingback: New IT Auditor (and WannaBEs) Master List | ITauditSecurity

Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.