As we all know, too few good IT audit blogs exist.
So it’s exciting when a new one is launched that shows promise.
Check out risk3sixty, which aims to provide IT audit info for the layman or manager who doesn’t work hand-in-hand with IT systems on a daily basis.
One of the blog’s first posts laments that the author “can’t find a single I.T. Audit blog I find helpful”. It includes a screenshot of a Google search of IT audit blogs, a screenshot that made me chuckle.
The second blog listed is yours truly — see the post and graphic here.
(Actually, as blair151 pointed out below, the first listing is a paid ad, so I’m really first. Thanks for the keen eye, my friend.)
I’ll admit that my blog isn’t a pure IT audit blog. It includes my audit and security adventures, some opinions and rants, skkyler’s ACL fodder, and my pimpled humor. But I still made the risk3sixty blogroll, so I’ll take that as a compliment.
I also chuckled at the Google screenshot because my Audit Monkey friend’s blog is listed 5th, and he’s no IT auditor, which proves risk3sixty’s point. However, AM has a unique UK auditor perspective, so visit him once in a while.
And of course skkyler chuckled cuz the ACL blog is listed 6th in the screenshot.
Back to risk3sixty
Here’s a sample of the posts you’ll find on the risk3sixty blog:
- Analysis of Strong VS Weak Passwords
- Online Voting and IT Security
- Can I Use a Screenshot as Audit Evidence?
- What is a Stateful Firewall
I’m sure more good posts are on the way, so check out the blog’s bearded IT auditors, and leave them some encouraging comments.
The neighborhood just got better…
ITauditSecurity 
Yours is actually the >1st< one listed in his Google screenshot — that Atlanta hit is a paid Ad. So, way to go!
Thanks for the tip to his blog — I've subscribed. His article about screenshots was really interesting.
LikeLike
You are so correct. I updated my post as a result. Thanks.
Yeah, I really like the screenshot post too. Glad you liked their blog. I expect great things from their blog.
LikeLike
Thanks for the post, Mack. We really appreciate the link love. Hopefully the fact that you made it to our blogroll is evidence of our approval and we’ll try to post some good content on our end too!
LikeLike
Christian,
I just wanted to officially welcome you to the neighborhood. Internet real estate values are already increasing.
Glad to offer some encouragement. You have a great niche and I’m sure auditors everywhere will appreciate it. And you already have a great start. Keep the good content coming. Best wishes, Mack.
LikeLike
Thanks for the plug. I actually have been aware of your blog for some time and it was part of what inspired me to kick the idea over to my co-author, Christian for ours.
Your blog has been helpful to me at work more than a few times. If you’re ever in the Atlanta area, I owe you a beer and taco.
Cheers!
LikeLike
Shane,
Thanks for the kind words. Being an inspiration to your blog is an honor.
Glad to hear the blog has been helpful. While it’s a lot of work, it’s a lot of fun too.
Bummer, I was in Atlanta last month for a job. Maybe next time.
LikeLike
Thanks for the interesting posts Mack.
I’ve been following this blog for quite a while now.
I’m actually a graduate from financial accounting, but I’ve always had a huge interest in IT systems and how they works.
I am currently completing my ACCA accounting certification (a promise to be kept with my parents). I’m 23 this year, but my family run on a tight budget so it is not practical for me to study full time in what I want to learn about.
Work experience wise, I’ve worked in
(i) external audit, and
(ii) currently working as an account analyst in an shared service SAP environment (this particularly fueled my interest much more than I thought).
After researching a bit, I found that IT audit may be a possible path for me to try to transition into the IT field, while I can still leverage on my accounting/business knowledge (so that what I learnt does not go to waste).
I have tried to ask around, but unfortunately I found out that there is no dedicated IT audit role in my company. Instead, there is only a chance to be part of a rotational internal audit team that test on internal controls of finance service delivery team.
I have these options in my mind now…
Option 1
Stick to what I’m doing now, try to join the internal audit team next year and try to complete the CISA exam. After which, attempt to apply for IT audit roles in other companies with internal audit experience as well as a CISA paper.
Option 2
Try to apply for an IT audit role in the Big 4 advisory, while trying to complete the CISA exam at the same time.
I am unsure of the practicality and the feasibility of the options above, but I foresee that a lack of technical knowledge can be a problem for me. I tried looking into the domains of CISSP, but I am unsure in what area should I start learning first to become “relevant” to IT audit. I’ve looked a bit into everything, and the more I scratched the surface of each area, the more overwhelmed I’m feeling.
Would you recommend me to focus on CISA first, or would it be better to work on technical knowledge first?
Once again, thank you for your time for reading through my question.
LikeLike
M,
Glad you came out of the woodwork finally. Lurkers are welcome, but commenters are cherished. So are financial folks.
I’d study the CISA first for a couple reasons: it’s an easy cert, IT audit managers look for it, and you’ll learn some things about IT.
Second, if you’re serious about learning IT audit and don’t mind being put through a grinder (and especially if you have not family of your own), I’d try for the Big 4 IT audit role. While I dislike Big 4 and written about that on this blog (mostly in comments I think), my reasons in your case are as follows: Big4 often take less experienced people, they will teach you IT audit (although it tends to be checklist oriented instead of based on the individual system, company, and situation), and you will get great experience on your resume. For some reason, private companies love to hire Big4 auditors. But I warn it, it will be a rough 2-3 years of long hours and lots of travel. But they’d probably pay for your certs too.
Did you see the link in one of my CISSP posts regarding the free online training for CISSP? You can’t pass the exam based on it, but it will help you learn a lot for free. I’d still do the CISA first, then review the CISSP training. Even if you don’t take the exam or get the cert, what you learn will be valuable.
If you work on gaining technical knowledge only, you won’t have anything to show for it that makes you desirable to employers. That’s why I stress certs first, which allow you to learn some things in the process.
Since you’ve been around here a while, you’ve heard me say that most IT auditors aren’t technical. The ones I’ve worked with in various companies sure are not. So the competition isn’t as tough as you think, especially since the market is tightening. I’m getting emails, calls, and linkedin invites several times a week.
Also, IT auditors who know the financial side are jewels. There’s not too many of them, so GO FOR IT!
I’m happy to continue the discussion…
LikeLike
Hi Mack,
Another small question that I would like to ask…
What industry do you foresee to be the most challenging for IT auditors to do their job?
How significant can such differences in the industry make to the IT auditors?
LikeLike
Hi Mysticeti,
Based on the industries that I’ve worked in, I think manufacturing is one of the tougher ones, mainly because they usually don’t have the money to devote to security, solving risk issues, employees, or tools.
Also, since they are not regulated as much as financial or healthcare, the findings auditors present are not heeded as well.
The other industry that’s hard, so I hear, is education. No organization has turnover like a school with their students, and the openness of the environment (especially schools that do research) make it hard.
Personally, I like to work with the industries that are more regulated.
What does everyone else think?
LikeLike
Dear Mack,
Thank you very much for your kind insight!
To be honest, your blog was the first blog that I found aside from the official ISACA / IIA websites that talks about IT audits. Your sense of humor kept me interested and it’s certainly exciting to follow your blog.
Due to some financial constraints, I’d only be able to seriously think about changing my job after the bonus payout somewhere around April 2015.
Looking at the CISA schedule, it seems like the next sitting will be on June 2015, while my audit paper (coincidentally) will be around that time as well. Seems like a tough one, but I might take a go at it.
So my best bet would be to try to upgrade my knowledge base to get certified before trying to make this jump. I was being overly anxious from the sea of information in the internet, and what you said definitely taught me how to set my priorities for now.
P.S. Thanks for the little gem you left at my page! I’d certainly take a look at it ;) You’re awesome.
LikeLike
@Mysticeti,
If you really want to learn the IT audit side while working the financial audit side, I think the best thing you could do is start labbing at home. Make IT your hobby.
Use your student email account to go to Microsoft and get free Windows Server software and set up your own Active Directory at home: https://www.dreamspark.com/
Create your own inexpensive Router/Gateway & Intrusion Detection box at home: https://doc.pfsense.org/index.php/PfSense_and_FreeBSD_Versions
Set up a Virtualized server space at home and practice networking them together: http://www.vmware.com/products/vsphere-hypervisor
The list could go on for days…. bottom line. Become a geek if you’re interested in getting into this business. You’ll be more than just a Check Box auditor, have way more fun and will be leaps and bounds ahead of most of your peers.
-Shane
LikeLike
Mysticeti,
Although I am not familiar with the websites noted in the first 2 links above, I agree with Shane in that learning by doing really helps. Some of the software is cheap and lots of it is free, especially to students. The only problem becomes having an extra computer that can run some of that software. Creating virtual servers really help, but you need to have a box with good CPU and lots of RAM and disk. I would not play with stuff if you only have a home computer that is shared with the family.
If you do have another box you can play with, go for it. But it is easy to become overwhelmed and spend time learning technology that your employer or future employer doesn’t use.
If you go this route, my suggestion is to stick to the basics. Find companies you’d like to work for in your area and look at what they want in IT auditors by viewing the posted jobs. Find the common technologies they want their auditors to have and learn those technologies. Also note the tasks they want auditors to perform (like risk assessments) and read up on those items.
I’d first focus on studying for the CISA and if you can make extra time, look at the open job positions and read/play with those common technologies. I still think certs have to be first and you will learn some of the basics while studying.
Don’t look at all you need to learn. It is more important to get started and learn what you can in the time you have. You can only do what you can do. So do what you can.
Shane,
While I don’t have moderation of comments turned on, your comment was not auto-approved due to the number of links you included. That must be an automated feature, so FYI. I’m assuming you have more control of moderation since you’re not using a free version of wordpress like I am.
Thanks for your encouragement to Mysticeti. I appreciate when other chime in and provide other options and points of view.
LikeLike
thanks for the referral, mack. another interesting blog to subscribe to. the IT audit neighborhood just got better, indeed!
LikeLike
L,
Thanks for taking the time to comment!
LikeLike