If you’re a new IT auditor or want to become one, I’ve listed a number of my earlier posts for your consideration. If you’re an experienced auditor, here’s an overview of the profession through my eyes.
These posts will:
- Provide basic information regarding IT audit and security and links to other sources.
- Help you avoid some of the hidden pitfalls that control owners and auditors face.
- Give you ideas and approaches for some common and uncommon audits.
- Give you a few chuckles.
If you start at the top and read through each post, you’ll get a good taste of the positives and negatives of IT auditing. Since you can’t do it in one sitting, you could bookmark the list and work your way through it as you have time.
Even if you only read a couple of them, let me know what you think.
How to get an IT Audit job with little or no experience
Basics of IT Audit
How to Describe What an IT Auditor Does?
Top 10 Reasons to be an IT Auditor
What Everybody Ought to Know About Auditor Secrets
What IT Auditors Ought to Know – and Don’t!
Things to Consider
Periodic Access Review Problems
How Virtualization Changes Audits
Audit Suggestions and How TOs
How to Perform Population Validation
Easiest Way to Steal Confidential Data
How to do an Easy Server Share Audit
Server Audit for the Dauntless
Top 10 Ways to be a Lovable Auditor
Get FREE Audit Work Plans at AuditNet
The other side of the coin
If you’re still hungry for more, here are a couple series of posts (each link leads to a series of posts on that subject).
Certified Informations Systems Auditor (CISA) – How to get pass the exam, free study resources
15 responses to “New IT Auditors Should Start Here”
Pingback: New IT Auditors Should Start Here – sec.uno
Great sources ! Thanks !
Does someone have to be well versed in programing in order to succeed in IT auditing ?
No, not at all. Most of what I’ve learned has been on the job. It certainly helps to be able to read code and interpret scripts with the automation that most companies are employing.
But overall, no. When I was a new auditor, I merely had the subject matter expert (SME) walk me through the script at a high level. Then if anything wasn’t clear or seemed strange, I asked a more detailed question.
Also, with the Internet, basic answers are easy to find. For example, you can copy and paste part of a python or bash script into GOOGLE and get an explanation. Or you could look up the command and the all the switches (options) and piece it together.
Usually, I look through code or queries, search for information about the parts I don’t understand, and then I can ask the SME more intelligent questions.
Most IT auditors are not looking at code. Many audit shops don’t even question queries or scripts, but accept them verbatim. That’s a bad idea.
At one company I was at for a few years, I found errors in at least 30% of the queries or scripts I reviewed.
My suggestion is to ask lots of questions and document what you’re told. Eventually you’ll pick a couple things up, which makes it easier to GOOGLE for other answers, and the more you do, the more you learn.
Hope that helps. Mack
Pingback: CISA vs. CIA Certification | ITauditSecurity
Love your blog. Would be nice if you could do a blog post on how to break into the industry especially for those of us that are no longer students but have computer science or CIS degrees. Been trying to break in but keep hitting the need 2 years of experience barrier
Glad you like the blog.
I assume you mean break into IT audit. I’ve given a lot of advice in the Comments of various posts (mostly the CISA posts), but I’ll try to put something together that is more focused.
Thanks for your response. Yes I meant the IT Audit industry. Would eagerly wait for any future blog posts you have on that. Thanks in advance.
See the pingback link immediatley below, which lists my suggestions on how to get an IT audit job with little or no experience
Pingback: How to get an IT Audit job with little or no experience | ITauditSecurity
Pingback: Use LinkedIn to get an IT Audit job | ITauditSecurity
Pingback: New IT Auditor (and WannaBEs) Master List | ITauditSecurity
I found your blog a few months ago when I was preparing for the CISA certification.
I am looking for a Job as an IT Auditor preferably or in IT Security and controls Advisory including IT Risk assessment and controls mitigation.
I am posting this message because I need some help or connections if possible to attain my career objectives.
I am in Cameroon, somewhere in Central Africa and Security controls and IT Audit is not yet embraced by many companies and just a limited number of Multinationals may have Information security or internal Audit departments.
I have worked for an ExxonMobil Affiliate in Cameroon where I had some skills in Security, Controls and IT Internal audit. A few years ago I took some time off for private reasons and later had some projects to integrate in the Middle East but things did not work out as planned due to the fallen prices in the world market for Oil and Gas.
I decided to validate some of these competencies by acquiring some certifications. I must say that I had been Cisco CCNA and CCNP routing and switching certified way back in 2001 and 2003 and even passed the CCIE written exam in 2004 but I stop these certifications. I had to redo the CCNA routing and Switching and then Obtained Cisco CCNA SECURITY. I also obtained as a result CNSS Information Systems Security (INFOSEC) professional recognition. I have just received my CISA certificate.
There are not many or good opportunities here. I tried the Big four as I read through the blog articles (KPMG, E&Y, Deloitte, and PWC). Some are not doing IT Audits and others don’t seem to have the need or respond.
I just thought I should through out my issue here and see what advise you may have for international offers or possibilities.
I am willing to provide any complementary information.
Unfortunately, I don’t know how to help you. You seem to be on the right track in the things you’ve tried so far.
The only thing I can think of is to work your LinkedIn groups. Ask others in your group for help. You might want to join some groups directly related to IT audit.
Also, get some recommendations on LinkedIn if you can.
Anyone else out there have any ideas?
How to succeed at being an IT auditor.
1. STOP harassing technical people. PLEASE ! The number of completely idiotic audit requests I have seen in my lifetime as a senior systems engineer is amazing. Stop it with the stupid requests for useless information, or at least do it yourself and stop bothering people who are trying to accomplish real work. See #2 below.
2. Show up at the jobsite ready to roll. I do not want you bugging me with 400 different report requests. If you are auditing the mainframe, then you should have a job set up, already coded and tested, with every report you possibly need. The ONLY questions you should have for me are:
a. What is the ROAUDIT userid and password. ?
b. What is the ftp address to ftp your already tested jcl to?
c. Are there are any special job requirements to be aware of. ?
d. Are there any naming conventions to be aware of ?.
e. How to access the mainframe tso session.
3. After you are done with your audit, then instead of just blindsiding me with completely idiotic dates to remedy something, come talk to me so we can work out a mutually agreeable date. When you think a so-called “security” issue is going to be fixed in production in a couple weeks, that just shows me how clueless you are about large parallel sysplex environments. Not to mention trying to beg 34 clueless approvers who are (for some inexplicable reason) involved in the change management process, to approve the change, ……that approval process alone will take four weeks.
I agree that too many auditors do this. Auditors need to prepare well and be realistic.