Author Archives: ITauditSecurity

About ITauditSecurity

Mack is an IT auditor and author of the ITauditSecurity blog for IT, audit, and security professionals. The blog provides HOW-TOs, analysis, and humor.

Create a Help Desk for Data

analytic metrics, numbersCompanies need to create a help desk for data, similar to the help desk they created for hardware, software, application, network, and user problems.

Can you imagine if companies didn’t have a computer help desk and each department had figure out their own computer issues? If each department had to find, load, configure, and troubleshoot their own hardware and software?

But isn’t that how most companies operate when it comes to data and data projects?

Continue reading

Leave a comment

Filed under Audit, Data Analytics, How to...

Some Periodic Reviews Provide Little Assurance

securityI’ve written before how some periodic reviews provide management with little assurance, but management doesn’t realize how little.

My previous post focused mostly on server access. In this post, I want to look at normal user access.

For example, let’s assume your company has a policy that states that all IDs must be assigned within an Active Directory group. In other words, IDs are assigned to groups, and groups are assigned to assets; IDs should not be assigned directly to an asset.

Assume the control you are testing states that user access is reviewed annually.

Continue reading

Leave a comment

Filed under Audit, Security, Technology

Blogging about Internal Audit (10 tips)

A looooooong time ago, Leeann asked me to write a post about blogging about internal audit, so here goes. Most of this post applies to blogging on any subject, too.

First of all, there is a dearth of good internal audit blogs, and even less good IT audit blogs. So if you’re thinking about, we sure could use you in the blogsphere!

Writing a blog is hard work, and you often get tired of it. Life finds a way to get in the way. This is my 11th year of the blog (see the first post here), which, ironically, was written by skyyler. Fortunately, we’ve gotten better since that first year.

Blogging about internal audit is like a moon shining in a dark place… here’s my 10 tips…

Continue reading

10 Comments

Filed under Audit, Blogging

Mack-the-Auditor Gets Audited! Part 3

Review ACL log

This is the third of 3 posts; this post describes how I audited the auditors and my perspective on the whole thing.

Read the first post (background) and the second post (audit results).

Continue reading

1 Comment

Filed under ACL, Audit, Case Files, Data Analytics, Scripting (ACL)

Mack-the-Auditor Gets Audited! Part 2

Review ACL log

This is the second of 3 posts; this post describes the audit, some speed bumps, and the audit results.

Read the first post here, which provides the background on the audit and the audit’s scope.

Continue reading

1 Comment

Filed under ACL, Audit, Case Files, Data Analytics, Scripting (ACL)

Mack-the-Auditor Gets Audited! Part 1

Review ACL logUsually, I’m the one doing the auditing, but this time, I (Mack) was the one who was audited.

It was a great experience for me.

Well, sort of. No one likes being audited (ahem). But it gave me a fresh perspective of how others feel when I audit them.

This is the first of 3 posts; this post contains some background info on the project that was audited, and the second one discusses the audit and the results, and in the third post, I describe my perspective on the whole thing, and some takeaways.

Continue reading

1 Comment

Filed under ACL, Audit, Case Files, Data Analytics, Scripting (ACL)

Why this pic on this blog?

Have you ever wondered why I selected the picture above to represent my blog?

This picture illustrates so many aspects and nuances of this blog’s theme.

Here’s your chance to put on your thinking cap, and based on what skyyler and I have written about over the years, tell me what YOU think it represents.

As the comments roll in, we’ll comment on them.

Then, after a few weeks, I’ll peel back my brain and give you a peek inside as to what my reasons were.

Not sure how many of you will take me up on the challenge, but here goes…

 

2 Comments

Filed under Blogging

Don’t Miss all the Free Advice & Info

free adviceWhile you are checking out my blog, make sure you don’t miss all the free advice that’s laying around.

And I’m not talking about the blog posts (those are good too).

Whether you a new reader or you’ve been around since the beginning (2009!), when you find a post you like, don’t forget to do the following after you read it:

  1. Look in the upper right corner of the website for my Quick Links. This will take you to multiple posts on these subjects.
  2. Use the Search Box to search for key words.
  3. When you read a post, check out the Comments. We respond to a lot of questions and provide information that isn’t in the blog posts.
  4. Leave a question of your own in Comments. We will respond.

Leave a comment

Filed under Audit

Auditor Struggles, Part 4

This is Part 4 of a Case File series that describes how real auditors tried to apply questionable methods to auditing and data profiling. See Part 1, Part 2, Part 3.

Does the Process X team provide metrics around their process?” I asked.

“Yes,” the most senior auditor replied, showing me the web page where the Process X metrics were displayed.

After reviewing the page briefly, I said, “I see they do metrics by month. You have a year’s data; are you planning to understand how they prepare their metrics and re-calculate them to see if you get the same numbers?”

Continue reading

Leave a comment

Filed under Audit, Case Files, Data Analytics, Excel

Auditor Struggles, Part 3

This is Part 3 of a Case File series that describes how real auditors tried to apply questionable methods to auditing and data profiling. See Part 1 and Part 2.

I looked at the third page of the handout and asked, “What is this?”

“A list of Active Directory (AD) groups and the user IDs in each group. I searched AD for any group containing the system name,” the junior auditor said, “and identified these 6 groups. I then downloaded all the members of these groups from AD into Excel.”

Continue reading

Leave a comment

Filed under Audit, Case Files, Data Analytics, Excel

Auditor Struggles, Part 1

Some auditors struggle with basic auditing. So when these auditors try to data analysis, well you can imagines how that goes.

I recently met with a team of auditors to give them input on what data profiling would be appropriate to perform. And what analytics might be insightful.

This is Part 1 of a 4-part Case File series that describes how real auditors tried to apply questionable methods to auditing and data profiling. Do not try these methods at home or work. Don’t even dream about them, awake or asleep. 

Continue reading

5 Comments

Filed under Audit, Case Files, Excel

xLookup Coming to Excel Near You!

Microsoft announced that they are adding a big brother to vLookup named xLookup.

The best things about xLookup: 1) it fixes some of the limitations of vLookup, 2) it is easy to understand and use, and 3) it replaces hLookup also.

Also, vLookup and hLookup are not going anyway, so if any of your colleagues struggle to learn new things, they can continue to use them as is.

Continue reading

1 Comment

Filed under Audit

A Sneaky Way to Analyze IT Controls

When auditors need to identify and understand IT controls, they search the company intranet, review policies, look for Github repositories, review inventories, schedule meetings, and analyze IT asset data.

I stumbled on a better way to get insight into the IT controls in my company, and I didn’t have to email anyone, do any research, or frankly, anything outright. The IT controls came after me.

Fortunately, the IT controls were blind to the fact that I am an IT auditor. To them, I was just an ordinary bloke. But that didn’t last long (more on that later).

It Began a Few Years Back

It all started a couple years ago when I was building the infrastructure required to support our data analytic efforts in internal audit.

Continue reading

Leave a comment

Filed under Audit, Case Files, Security, Technology

Before You Analyze Data

Before you start analyzing data, you need to 1) know you have the right data, and 2) understand the data and the process that produced it.

This post assumes, of course, that you already accomplished some of the hardest tasks already: figuring out what data you need, where to get it, and actually getting the data. Good luck with that. :)

This post is part of the Excel: Basic Data Analytic series.

Continue reading

Leave a comment

Filed under Audit, Data Analytics, Excel, How to...

How to Profile Data

Before you analyze data, you should profile it.

Otherwise, your analysis may not be too broad, too narrow, or you may miss some important insights or errors.

This post is part of the Excel: Basic Data Analytic series.

Data profiling is developing a profile of your data, just as facial profiles of a person, taken from various angles, helps you size up a person’s nose, identify whether his chin is sagging, and how far apart the person’s eyes are.

Continue reading

4 Comments

Filed under Audit, Data Analytics, Excel, How to...

Quote of the Weak – Clean Data Manually

clean data manuallyIf you are in IT, audit, or security (or any other job requiring data analysis), you should NOT be cleaning data manually.

Let me share a recent experience with you….

A young IT auditor texted me at work and asked for some Active Directory user account data that I capture automatically every week, using some scheduled ACL scripts.

If you’re not familiar with my ‘Quote of the Weak’ series, I described it briefly in About. For a list of posts in this series, see here.

Continue reading

2 Comments

Filed under Audit, Case Files, Data Analytics, Excel, How to..., Quote of the Weak, Security, Technology

Job Automation Quiz

automation quiz

Test how much you know about automation technologies by taking the job automation quiz at Financial Management magazine.

Continue reading

Leave a comment

Filed under Audit, Free, Security, Technology

ACL Robotics is NOT Robotics

RPA the robotContrary to what ACL has been touting as their new ‘robotics’ feature, it is NOT robotics process automation (RPA).

[The ‘robotics’ feature is due out later in 2018. It appears to be ACL’s latest attempt to get you to use their GRC software.]

ACL, via John Verver, defines the term this way in his RPA article: “The idea is a relatively simple one: get computers to perform tasks normally performed by humans, and cut resource and time requirements for many repetitive activities.” Continue reading

3 Comments

Filed under ACL, Audit, Data Analytics, Scripting (ACL), Technology

ACL Tip: Be Careful when Renaming Tables

acl table leggy




When you need to rename ACL tables, be careful to also rename the associated .fil file also.

Otherwise, you (or your ACL script) might get confused. You might delete the wrong table or .fil file, and create a head-scratching problem.

I know because I confused myself.

Continue reading

Leave a comment

Filed under ACL, Audit, Data Analytics, How to..., Scripting (ACL)

Bank Closes Account, Doesn’t Know Why

bank deposit boxRecently, a large U.S. bank was found to have created unauthorized accounts; a similar bank closed one of my accounts, but doesn’t know why it happened.

More than a decade ago, I opened a safety deposit box at a local bank (a very large U.S. bank that all U.S. residents would have heard of). This wasn’t my regular bank, as my bank didn’t have such boxes; I only went to this other bank when I needed to access my safety deposit box, which was not often.

Continue reading

7 Comments

Filed under Audit, Security

Kyle and a Conversation about Analytics

kyle bitsA while back, a reader named Kyle and I had a conversation about analytics.

It started with his reading my Excel:Basic Data Analytics post where I list a number of procedures that anyone can do in Excel.

Kyle said he was expecting some “super sophisticated process & methodology that works like magic.”

Continue reading

Leave a comment

Filed under Audit, Data Analytics, Technology

Quick Introduction to ACL

If you’ve ever wondered what Audit Command Language (ACL) is, here’s a quick way to find out.

ACL has provided a quick, one-page introduction to ACL. And I mean quick.

It doesn’t explain a lot, but it gives you a quick peek at the basic user interface.

You could call it the ACL Overview for Dummies.

Continue reading

2 Comments

Filed under ACL, Audit, Data Analytics, Technology

Analytics Blog Debate Heating Up

A debate on this blog over analytics and the future of internal audit is heating up.

A few readers, including our colleague across the sea, AuditMonkey, have dove in, and skyller and I have responded in kind.

Well, not exactly. AuditMonkey has been more kind, to his credit. But I digress.

Continue reading

Leave a comment

Filed under Audit, Data Analytics, Employment

FREE Fraud Investigation Quiz

Quiz yourself to discover how much you know about fraud investigations.free quiz

While you may not be tasked with leading an investigation, you might need to work with those working on such an investigation. Either way, do you know the basics?

This quick, 5-question quiz from the Journal of Accountancy will indicate what you know AND what you don’t. And whether you get each answer right or wrong, the answers provide additional information. Continue reading

4 Comments

Filed under Audit, fraud, Free

Deleting ACL Table Covers A Multitude of Sins

Delete ACL table problemI’m not sure why, but sometimes deleting an ACL table or two covers a multitude of sins, errors, or just plain weird behavior.

No, I don’t get any error messages. That’s the strange part.

I’m talking about strange ACL behavior that you can’t troubleshoot by reviewing the log.

Continue reading

Leave a comment

Filed under ACL, How to..., Scripting (ACL)

Robotics to Replace ACL, Part 2

robot replace ACLPreviously I wrote Will Robotics (RPA) Replace ACL?

The short answer is no, and I describe the reasons in that post.

But that doesn’t mean someone won’t try.

Shortly after I wrote my original robotics post, I encountered robotics vs. ACL, part 2.

Continue reading

1 Comment

Filed under ACL, Audit, Scripting (ACL), Technology

Security Camera Saves Auditor $60

video camerA security camera helped this auditor recoup $60 recently, 2 months after I lost it.

You might recall my previous encounter with security cameras in Do Your Security Cameras Give Good Customer Service?

I was back in the same store, but this time I had a different problem.

Continue reading

Leave a comment

Filed under Audit

New IT Auditor (and WannaBEs) Master List

Here’s a list of all my posts to-date related to becoming or growing as an IT Auditor, all in one place for easy reference.
I’ll add other posts as they are written.

Continue reading

11 Comments

Filed under Audit, Employment, How to..., Security, Technology

Use LinkedIn to get an IT Audit job

If you’re looking for an IT Audit job, here’s how to use LinkedIn to get noticed.

new-auditorIn a nutshell, you need to enhance your LinkedIn profile so that everyone knows you’re working hard at learning IT auditor skills.

If you’re already working as an IT auditor, use these suggestions to get noticed more and move ahead (or into another company with more opportunities).

Continue reading

4 Comments

Filed under Audit, Certification, Employment, How to..., Technology

Why Internal Auditors Should Care about Robotic Process Automation

3 Comments

Filed under Audit, Data Analytics, Employment, How to..., Technology

Audit Management Sometimes Sucks

see no evilWhen internal auditors (or those pretending to be such) do poor work and don’t follow the appropriate audit and IT standards, they are unprofessional. However, I put the blame at the feed of audit management.

Continue reading

7 Comments

Filed under Audit, Employment

How to get an IT Audit job with little or no experience

I get asked all the time, “How do I get a job in IT audit with little or no experience?”

When Michael Onuoha asked me this question (see here), I thought I’d share my response with my readers.

You’ll find these same answers scattered around the blog as I answered people in the past, but I thought I’d pull it all together into one place.

Breaking into any field can be difficult, but it can be done. Especially when the demand for IT auditors is so high.

Continue reading

26 Comments

Filed under Audit, Certification, Employment, How to..., Technology

Top 10 Reasons Why Being an IT Auditor is So Hard

tenBefore you choose a career as an IT auditor, consider my top 10 reasons why being an IT auditor is so hard.

Continue reading

3 Comments

Filed under Audit, Employment, Technology, Top 10