This post is the parking lot for questions that don’t necessarily relate to one of my posts.
If you want to ask a question, post it here.
I will try to respond, but keeping up with the blogĀ keeps me fairly busy, so I won’t promise to respond to every question. But perhaps my readers will put their 2 cents in.
The first 2 entries below are links to questions that readers already posted in other locations. If you have some advice or an opinion, please comment. Thanks!
How to do a risk assessment? How do I determine the risk of outsourcing a call center?
* This was resolved, but you might enjoy reading it and adding to the discussion.
Add a new question by clicking Leave a Comment below.
ITauditSecurity 
My question is more about getting myself into this field. I have 10 years of experience in IT. I have worked in on site deployment, support, disaster recovery for various enterprise products – Microsoft Exchange, SQL Server, Sharepoint, Lync, Office365, Windows server, HyperV etc. I am presently a program manager in Microsoft’s Office365 team.
I have a fair bit of IT security background…I did security support and incident management in Microsoft. I am CISSP/CISA certified. However I have not done any audit work but I really want to make my career there. What are my options realistically? How should I go about the transition?
Thanks and love the blog!
LikeLike
Hi Nick,
Yes, you have great experience and have CISSP and CISA, which is a great combination. All you need is a someone to give you a break. One caution is that you probably wont’ make as much money as you do now, but you never know (go to indeed.com and see what the salary ranges are for entry-level IT auditors in your area*).
* I was in a similar position years ago, with no audit experience, and was hired as an audit manager and was paid a lot more than I was making as a security manager–that was a fluke, but sometimes it happens, I had to learn how to audit fast).
I’ve switched careers more than twice and was paid the same or more each time. It’s all about how you leverage your past experience and show how it allows you to bring a lot to the new position. And how fast you can learn the new skills.
If you work in a company with an audit (or compliance) department, talk to one of the audit managers or auditors and ask for help. See if they would be interested in allowing you to work on a project with them (as a guest auditor). Of course, you have to have a good relationship with your current manager too. If that’s the case, ask your manager for suggestions and ask him/her what they would do (and whether they know any audit management in another company that might be interested in you.
If you don’t work in a company with an audit department (and even if you do), talk to some of the auditors in your ISACA chapter and ask them for help. You could do some informational interviews to get an idea what auditing in like. Discuss your background and the things you’ve done and ask the auditors how you can leverage projects you’ve worked on in an interview. Ask them what they’d do in your shoes.
I’d also look for entry-level IT audit positions in your area and see if they’ll hire you based on your IT and security background. Audit departments are know to hire non-auditors. The company I’m currently with just hired some people who never audited before. One of them is doing well, one is struggling, and the other is too new to rate.
Finally, I’d talk to everyone you know (spiritual leader, dentist, grocery clerk, friends, relatives, insurance agent, etc.) and tell them what you’re looking for and that you need some help. People love to help others. Some of those conversations have led to jobs more than once.
Let me know if you’d like to discuss your situation more….
I’m glad you like the blog–thanks.
LikeLike
Pingback: M-A-O-L » How to break into IT audit w/o audit experiencE
I am seriously considering sitting the CISA exam. However, my concern isn’t so much passing the exam but entry requirements to the IT Audit Profession. For instance, how much programming knowledge and skill is required? For example, to perform data analytics, some firms employ individuals who are able to extract data from systems, then use ACL to analyse it and arrive at appropriate audit conclusions. My point is I would fall at the first hurdle as I won’t be able to do the data extract and be reliant on someone else. Therefore, is CISA just scratching the surface?
LikeLike
Good to hear from you again, Audit Monkey!
On this side of the pond, no programming knowledge or skill is required. I’m not sure what type of extraction you’re referring to. Most of the IT audit jobs I see advertised over here do not require programming nor ACL.
Also, most of the auditors I talk to do not use ACL or only use it in an elementary, manual fashion (not complicated or scripted). This is s l o w l y changing.
Are you referring to writing a SQL query or job control language (JCL)? While I understand the basics of both and can write SQL queries from scratch (not really that hard), those skills are a bonus, not a requirement. However, understanding such things help when you review someone else’s query to understand whether it’s appropriate and obtains the correct data (population validation).
Most of the data extracts I do are simple downloads by clicking a button or watching an IT or business person download the data.You learn as you go along.
So yes, you do tend to rely on people, and the more data you are able to gather yourself, the better, and that reduces audit hours and increases objectivity of the data, My current client values that, but it wasn’t a requirement. It never was in any audit job I’ve had.
If you have the time and the money, I’d suggest still going for the CISA. It won’t hurt you and can only help. But I”d strongly suggest you talk to other IT auditors to get the scoop in your location (see my above reply to Nick for other ideas).
Let me know what you decide to do. I’m always interested in the ongoing tales of the Audit Monkey and his adventures!
LikeLike
I’ve been following your blog for awhile now, and I love the guides and links you give, they are a absolute treasure trove of tips especially for people learning like me. I’ll be heading to college soon, mainly to study for a job as a system security analyst or PenTester and I’m wondering? What kind of degrees best suit the Network security world? Universities all seem to offer their own take on the practice and I’m really unsure as to what kind of degree to pursure, or if there is a few specific colleges that are more renowned for their security expertise? Maybe a broader Computer Science degree? Or a System and Informational security degree for a more narrowed focus? Would really love your advice!
LikeLike
Hi Christian,
I wish I was in your shoes. When I left for college, security wasn’t a major or a department in most companies…but that was then….
You didn’t give me much of your current background in IT/security, so I’ll shoot from the hip and reveal my biases…
You might enjoy my Teach Yourself Security post.
I’ve heard a lot of good things about Norwich university. Take a look at their curriculum at http://profschools.norwich.edu/business/csia/curriculum/.
I like that they computing programming, databases, business law, SW engineering, networking, and even technical writing. That’s a good foundation that most people lack these days. Then you add your elective courses to tailor the degree toward what you want to go deeper. Interestingly, I don’t see any pentesting basics. That may be covered in the electives.
So those are the types of things I’d look for in a security program–a good foundation of all technical pieces. If you’re not working or volunteering in some type of IT work, make sure you get a side job doing that so you gain (or continue to gain experience).
As for which way to go, I’d try to ride the middle ground between a broad computer degree (but heavy on programming and networking) and a more concentrated security degree. My concern is that both ends of the spectrum are too far apart, and if you can fashion a program that has both, that will be your best route.
I still think the best security people are more generalists than specialists. They know something about everything and can go deeper on their own if needed because they have the thirst for understanding and the technical understanding to learn a lot on their own.
Too many people go to school for security now and don’t know the basics of servers, networks, applications, and the like–the daily stuff that a security analyst day is spent working in and around. A security pro needs to understand how his policies and solutions impact not only users, but IT workers. If you don’t understand the daily struggles those two groups have, you won’t be the greatest security pro.
Also, don’t neglect scripting. It is so powerful and necessary to understand when you try to unravel attacks against your assets or just automate tasks.
And learn *nix inside and out. It’s right up there with death and taxes.
LikeLike
Christian,
Also check out what I’m going to post on Monday. Click the link in that post, go to the Educational Resources tab, and you’ll find a world-wide list of schools offering computer security degrees. Hope that helps.
LikeLike
Hey there! Great site. I’ve been following your blog, and I noticed that you post a lot of great how-tos, specifically on IT auditing. I’ve seen some other content on topics such as security vulnerabilities and hacking. I’d like to know if you would be interested in featuring a guest blog post on your site.
We’re (Advanced Security by TrainACE) also in the business of how-tos, and we frequently provide demo videos and other how-tos for our readers on our blog (don’t want to link to it on your page for fear of spam bot, lol), in addition to commentary and discussion on breaking IT and cyber security trends and tools.
If possible, we’d love to speak you further about a possibility for collaboration! (And so we can give you the link to our blog freely, lol). Hope to chat soon!
LikeLike
Thanks, but up to this point, we’d rather stay independent. We have not collaborated with ACL.com for the same reason.
LikeLike
Thanks for the follow-up! Continued wishes for success for your blog :)
LikeLike
My questions is – Is there an advantage to having certifications such as Security+ and Network+ prior to getting the CISA?
I’m pretty sure I’ve determined I want to get out of corporate accounting and into auditing, but I’m trying to decide between CIA and CISA and then if pursuing a different IT cert first would be advantageous.
I’ve read through your other posts on CIA vs CISA and I’m trying to take that final step.
FYI – I’ve started on Security+, A+ and SQL 2012 trying to decide which way I want to go. I need to pick one thing and focus and recently have become very interested in the CISA. I’m hoping it would open doors on the IT side.
LikeLike
Hi Josh,
As far as passing the CISA, having those particular network certs will help you in some areas, like disaster recovery. They certainly won’t hurt you, But I would never recommend that order; I’d always do the CISA first, as that will give you an overview of auditing and IT.
Remember that the CISA is more about auditing than IT (unfortunately–I think it should be both). While the study guide covers lots of IT, the exam is not heavy with IT; some, but not much.
If you’re interested in IT auditing, finish what you’ve started and then do the CISA; I wouldn’t do the Network cert before the CISA.
As I’ve said multiple times, if your goal is IT auditing, the CISA is eaiser, faster, and cheaper, and if you decide you don’t want to do IT auditing, you’ve wasted a lot less time.
CISA and CIA will open IT auditing doors, but not IT department doors. I get the impression that you’re more interesting in IT than IT since you’re doing SQL 2012.
Good luck and let’s discuss more if you like….
LikeLike
Thanks for the reply.
A little background on how I got here might help. I’ve always been interested in the IT side of things, but life sorted directed be toward accounting. I’m a controller now and recently got my CPA to sort of finish that journey.
At work, I’ve always migrate toward the IT side of my job, supporting our accounting systems, creating access reports, excel of course and kind of being help desk lite. I’ve always had a great working relationship with IT to the point where they drop off parts for me to install myself.
The current interest in things like SQL server come from our use of it in the workplace. I decided I wanted to be the business intelligence expert, bought a couple of BI books, but decided I needed to learn the basics first. I bought SQL Server 2012 Developer and have started doing some self-study to learn it.
At the same time, after observing my colleagues, including our former and current CFO, I’ve noticed a certain skill set that seems to come from auditing. After getting my CPA, I decided that public financial auditing might not be my thing, so started investigating internal auditing. I then came across the CISA, which seemed to fit nicely with desire to learn the auditor skill set and my desire to work in IT.
I was hoping that by going the CISA route, I would be exposed to various technologies, including security, and ultimately look at getting the CISSP and/or doing some more technical IT work.
That’s kinda lengthy and probably better discussed over a beer, but that’s my general mindset and I’m trying to figure out how to focus myself for future career growth.
LikeLike
Josh,
That helps me understand the SQL part. SQL will certainly help you with BI and also fits nicely with data analytics, which are usually linked. And BI/DA skills are still sorely lacking in internal audit. Along with security and IT skills (smile).
Having accounting, auditing, BI/DA, and IT skills is a great foundation for all kinds of positions. You’re going to have fun. Keep me posted as you progress, ok?
LikeLike
I will try and do that. Now to get started on this little adventure.
LikeLike
Hi,
I get this message in most commands I try to execute, even in the simpler ones (the ones from the ‘analyze’ menu):
“An error occurred while opening the document”.
My files are ok in format, and I can’t find any related post in this blog or in similar ones, Could anyone help me with this issue?
Thanks in advantage!
LikeLike
Leticia,
By document, what do you mean? An ACL table or a file? I assume table. Check the permissions on the folder(s) in which ACL is installed and the folder(s) holding your current ACL project. Also, make sure the table is correctly linked to each .FIL file. Right click on table and select Properties. Make sure the path is correct. If not, right click on table and select ‘Link to new source data’, select client (if desktop) or server, then select the proper .FIL file for the table, then click OK.
Best thing to do is call ACL support. You didn’t give me enough details.
LikeLike
Hi there,
I am an Young Infosec professional with 9 mths of working experience in:
– Operating System Review
– Penetration Testing
– Vulnerability Assessment
I also got a 4-year degree in computer science.
Prior to this. I got ITIL and CAPM, I did average for ITIL and for PMI-CAPM i failed once and retake once last year.
I have not started studying but managed to get hold of:
CISA Review Manual 2015 (2014 as well)
CISA Review Questions Answers & Explanation
Is there any other third-party books I can start using this to study? I heard people say All-In-One-Cisa and some 3rd party books is good.
Given my working experience and some certification I have taken, how much effort do you think I need to study everyday? How many chapters and how often should I do the practices given it is less than 2 months?
Will attending the review course by the local chapter be good or should I save the course? What other resources do I need?
LikeLike
devaln,
It depends on how well you understand auditing and when you plan to take the CISA exam. I would not try to take the exam in December if you haven’t started studying unless you have a lot of time to dedicate to studying.
I generally studied at least one hour a day, but I had several years of auditing experience and many years of IT experience. Learning styles are also different, so it’s hard to tell you what works for you.
I’d suggest you look at all the chapters in the books you’re going to read and plan on an hour or more per chapter with 30 minutes to review that chapter’s questions. Based on how much time you have each day or week, you can plan a schedule to see how long it will take. Once you determine that, add 3 more weeks in case you get sick, have an emergency, etc.
I’d use the review manual and the Harris all-in-one. That should do it.
LikeLike
I have a question about variables.
I defined some variables to calculate the value for a defined field using input dialogs. The fields show in the table, but after closing the table/project and reopening the project. I get an error message saying “Error Loading View” and two of the variables I had defined show up in the message saying e.g.[‘STANDARD1’ is undefined] and the computed field columns are gone.
How can I fix this?
LikeLike
Dwight,
You didn’t give me much info to go on….
My guess is that you did not save the table before closing the project. Only when you save a table after adding fields do they remain.
I hope that helps.
LikeLike
I think the better question is, if I define a computed field from a user input and it adds the column to the table. On reopen of the project it wants to compute that field again but can’t because the user inputed values are cleared from memory. How do I get my computed values to stay? Maybe I can clone the column and paste it on itself.
LikeLike
Dwight,
Save the table. Or you could extract all fields to a new table after adding the computed field. Either would save the computed field.
LikeLike
Your blog is a treasure! A quick question on how to use it more effectively and efficiently. I found it is hard to find some of my posts, which I’d like to continue discussing about / reviewing. I tried to search them with my name “TT” but did not succeed. Any suggestion? Maybe this sound silly. Should I create an account in wordpress? From there, I will be able to search my posts in your blog? I know nothing about blogging.
Many thanks.
LikeLike
TT,
Here’s an easy way to find where you commented on my blog. Go to your favorite search engine (I used BING) and enter this phrase in the search bar:
site:itauditsecurity.wordpress.com TT
The only space in that phrase is between com and TT
Likewise, if you want to search for the term “skyyler” use:
site:itauditsecurity.wordpress.com skyyler
Most of your larger search engines support this feature. Enjoy!
I look forward to our future discussions.
LikeLike
Thank you, it works.
LikeLike
Hello Mac,
This is Ashish from India. I am referring these test questions and other free downloads for june 2016 exam. I am sure this will help me for the same seeing and reading the earlier responses and the wonderful information made available by you on this site.
It has come to my knowledge that recently CISA review manual has been totally revamped, however I am sure the concepts have remain the same.
Please let me know do I have to refer to these study guides only in the current situation or do you have any other material made available considering the recent amendments.
Thanks and Regards,
Ashish
LikeLike
Hi Ashish,
As to whether you should study the latest exam materials or rely on older ones, please see this comment https://itauditsecurity.wordpress.com/links/free-downloads/#comment-10574 as well as the question that proceeds it.
The other item to consider it whether it is ethical to use materials others have paid for; most certification materials, especially question banks, are intended for the original purchaser only (check the materials).
You don’t want to start a career in auditing by breaking the code of ethics. If you don’t have integrity, you cannot be an effective, trusted auditor.
I wish you the best.
LikeLike
Ashish, one other thing I neglected to answer for you….no, I don’t have any materials to use for the recent amendments because I got my CISA prior to the changes.
LikeLike
Hello Mac,
Thanks for your reply and best wishes, but I think you got me wrong on the ethics part.
Trust that I have already ordered the new CISA review manual by paying the required amount and I am surely going to refer the same but since I found the practice tests on this site I wrote to you.
The intention behind asking any of the questions was to be just sure that I am referring to correct free download material / practice test question papers on the this site and the internet apart from the CISA review official manual that I have purchased.
I hope now you will be sure that my intention was clear and not to breach any code of ethics or professional standards.
I appreciate all your efforts in making this practice test papers available on the internet which is really helpful tool to prepare for the exams.
Best Regards,
Ashish
LikeLike
Ashish,
My apologies. I did not mean to imply anything, but I can see how my reply to you sounds like that. Sorry about that.
I merely meant to raise the issue for consideration, especially for other readers who are facing similar circumstances.
The principles of auditing haven’t changed much; they just get added to and adjusted, but overall, don’t change a whole lot. The older materials won’t hurt you.
Let me know when you pass…
LikeLike
Hi IT security audit,
What is Quality Management system, has it got anything to do with the quality assurance process in the context of auditing?
LikeLike
devalv,
You don’t give me much context, but I would say Yes. Both refer to the process used to ensure that the work performed meets the company’s quality requirements.
In addition, audit departments usually ensure their audits meet quality requirements by following IIA standards and through audit manager review of the audit planning and workpapers.
LikeLike
Hi ITSecurity Audit,
I would like to discuss the important of automated compliance and why it is important for my job. I hope you can share your thoughts on this:
Why is automation too IMPORTANT for my job:
I am often burden by tons of tasks, many of them are repetitive, it helps me to streamline my work.
A script needs to be written once and be invoked many times, it helps to minimize the probability of human error.
Using of Script helps me to carry out complex task and involved automatically, so I can concentrate on other task while the script runs.
It allows flexibility ; it uses decision making logic to response to different conditions.
Use of Control-Self Assessment helps to detect risk to the system earlier by the client.
In short, learning to create programs for automating compliance is well worth the effort.
LikeLike
devalv,
Those are good reasons. You left out: it’s fun!
LikeLike
have noticed that none of my data files have anything in common with what is depicted in the book with the exception of the name and column titles. The data is mostly garbage. Here is a sample of the Sample_project/payroll analysis/empmast file. Anyone else having issues with the data files?
ưưưưƱư ĆĆĆĆĆ Ć@@@@@@@ @@@@@@@@@@@@ĆĆĆ ĆĆĆĆ@ĆĆĆĆĆ„ĆĆ@@@@@@@@@@ĆĆ„K@ĆĆ ĆĆ£ĆĆĆk@ĆĆĆĆĆ Ć¢@Ƶ@ĆØ@ƶ@@@ @@@@@@@ĆĆĆĆĆ¤Ć ĆĆ@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@ ĆĆĆ ĆĆ£ĆĆĆĆ@@@@ @@@@@@@@@@@@ĆĆĆ£ ĆĆĆĆĆ Ć@Ć¢Ć£ĆĆĆ¢Ć¢Ć @Ć±Ć²@@@@@@@@@@@@@@@Ć Ć¢Ć¢Ć Ć@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@ Ć²Ć¹Ćø@ĆĆĆĆ@Ć¢Ć£ĆĆ Ć Ć£@@@@@@@@@@@@@ @@@@@@@ĆĆĆĆĆĆĆĆĆĆĆĆ¢@@@@@@@@@@@@@@@@@@@@@@@ĆĆ@@@@@@ @@@@@@@@@@@@@@@@@ƤĆĆĆ£Ć Ć@Ć¢Ć£ĆĆ£Ć Ć¢@@@@@@@@@@@@Ć¤Ć¢Ć ĆµĆ³`ƱưƵ Ƶ@@@@@@@@@ĆĆĆ ĆĆ ĆĆĆ ĆĆ@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Do you have any thoughts?
LikeLike
melissa,
The file might be corrupt or you are loading it as one type when it is another type (e.g., loading it as a delimted file when it is an Excel file).
LikeLike
How does one get their foot in the door in the IT Audit field? My background: Masters in AIS, passed CISA, been working as an accountant in industry for 1.5 years. I’ve been wanting to pursue a career in IT Audit since starting my degree but only landed a low paying staff accountant role. I passed my CISA recently and figured I’d start aggressively searching for IT Audit roles again in public/private/gov’t, anywhere… but either I have too little experience or there are barely any ‘entry level’ IT Audit roles out there that I can find.
LikeLike
Toast,
I’ve answered this question in a couple of places. You will find most of my suggestions in the comments after any article with CISA in the title. Here’s a good place to start: https://itauditsecurity.wordpress.com/2013/03/04/cisa-vs-cia-certification/. If you have a more specific question, let me know.
LikeLike
Hi,
I have about 5 years of experience in IT industry in software testing(web,applications, greenscreens etc) . I have been looking for a career change and I am interested in the IT auditing field. IS my experience relevant for the certification. and how many hours of study would you recommend.
LikeLike
Sharanya,
Yes, that background would help you in IT audit and would most likely count toward certification requirements assuming the work you did was related to security or audit.
The study hours would depend on how well you understand the fundamentals of audit and IT processes and how fast you can gain that knowledge. Everyone learns at a different pace.
I always overstudy for certs, and I don’t remember how much I studied. I just studied until I could pass tests for each of the domains at 80% or better. See some of my other CISA posts for study tips. Good luck.
LikeLike
Can you post a topic about career progression/ opportunities after audit?
What opportunities exist for those looking to exit IT audit?
LikeLike
Porak,
Good idea. I’ll work on that.
LikeLike
Pingback: Careers After IT Auditing | ITauditSecurity
I’m trying to capture a particular field and record number as a variable for usage as a prefix text later on in a script.
Do you have any idea how I may best be able to define the variable via EXTRACT or some other option?
LikeLike
Dwight, Your best bet is to post your question to the ACL forum and give additional information and sample data. You’ll usually get an answer the same day.
I’m not sure what you’re trying to do. You’ll probably need the LOCATE RECORD command for sure. Sorry I can’t help more.
LikeLike
Thanks, I’ll do so.
LikeLike