Author Archives: ITauditSecurity

About ITauditSecurity

Mack is an IT auditor and author of the ITauditSecurity blog for IT, audit, and security professionals. The blog provides HOW-TOs, analysis, and humor.

Don’t Miss all the Free Advice & Info

free adviceWhile you are checking out my blog, make sure you don’t miss all the free advice that’s laying around.

And I’m not talking about the blog posts (those are good too).

Whether you a new reader or you’ve been around since the beginning (2009!), when you find a post you like, don’t forget to do the following after you read it:

  1. Look in the upper right corner of the website for my Quick Links. This will take you to multiple posts on these subjects.
  2. Use the Search Box to search for key words.
  3. When you read a post, check out the Comments. We respond to a lot of questions and provide information that isn’t in the blog posts.
  4. Leave a question of your own in Comments. We will respond.

Leave a comment

Filed under Audit

Auditor Struggles, Part 4

This is Part 4 of a Case File series that describes how real auditors tried to apply questionable methods to auditing and data profiling. See Part 1, Part 2, Part 3.

Does the Process X team provide metrics around their process?” I asked.

“Yes,” the most senior auditor replied, showing me the web page where the Process X metrics were displayed.

After reviewing the page briefly, I said, “I see they do metrics by month. You have a year’s data; are you planning to understand how they prepare their metrics and re-calculate them to see if you get the same numbers?”

Continue reading

Leave a comment

Filed under Audit, Case Files, Data Analytics, Excel

Auditor Struggles, Part 3

This is Part 3 of a Case File series that describes how real auditors tried to apply questionable methods to auditing and data profiling. See Part 1 and Part 2.

I looked at the third page of the handout and asked, “What is this?”

“A list of Active Directory (AD) groups and the user IDs in each group. I searched AD for any group containing the system name,” the junior auditor said, “and identified these 6 groups. I then downloaded all the members of these groups from AD into Excel.”

Continue reading

Leave a comment

Filed under Audit, Case Files, Data Analytics, Excel

Auditor Struggles, Part 2

This is Part 2 of a Case File series that describes how real auditors tried to apply questionable methods to auditing and data profiling. See Part I.

I picked one of the fields and said, “Please show me how you profiled the Status field, for example.”

The auditor proudly projected his Excel spreadsheet on the conference room screen. He said, “I filtered the Status field to display only records containing ‘Complete’, noted the number of filtered records in the lower left corner, and recorded the value and the number of records in the document.”

Continue reading

3 Comments

Filed under Audit, Case Files, Data Analytics, Excel

Auditor Struggles, Part 1

Some auditors struggle with basic auditing. So when these auditors try to data analysis, well you can imagines how that goes.

I recently met with a team of auditors to give them input on what data profiling would be appropriate to perform. And what analytics might be insightful.

This is Part 1 of a 4-part Case File series that describes how real auditors tried to apply questionable methods to auditing and data profiling. Do not try these methods at home or work. Don’t even dream about them, awake or asleep. 

Continue reading

5 Comments

Filed under Audit, Case Files, Excel

xLookup Coming to Excel Near You!

Microsoft announced that they are adding a big brother to vLookup named xLookup.

The best things about xLookup: 1) it fixes some of the limitations of vLookup, 2) it is easy to understand and use, and 3) it replaces hLookup also.

Also, vLookup and hLookup are not going anyway, so if any of your colleagues struggle to learn new things, they can continue to use them as is.

Continue reading

1 Comment

Filed under Audit

A Sneaky Way to Analyze IT Controls

When auditors need to identify and understand IT controls, they search the company intranet, review policies, look for Github repositories, review inventories, schedule meetings, and analyze IT asset data.

I stumbled on a better way to get insight into the IT controls in my company, and I didn’t have to email anyone, do any research, or frankly, anything outright. The IT controls came after me.

Fortunately, the IT controls were blind to the fact that I am an IT auditor. To them, I was just an ordinary bloke. But that didn’t last long (more on that later).

It Began a Few Years Back

It all started a couple years ago when I was building the infrastructure required to support our data analytic efforts in internal audit.

Continue reading

Leave a comment

Filed under Audit, Case Files, Security, Technology