Mack-the-Auditor Gets Audited! Part 2

This is the second of 3 posts; this post describes the audit, some speed bumps, and the audit results.

Read the first post here, which provides the background on the audit and the audit’s scope.

Continue reading →

Mack-the-Auditor Gets Audited! Part 1

Usually, I’m the one doing the auditing, but this time, I (Mack) was the one who was audited.

It was a great experience for me.

Well, sort of. No one likes being audited (ahem). But it gave me a fresh perspective of how others feel when I audit them.

This is the first of 3 posts; this post contains some background info on the project that was audited, and the second one discusses the audit and the results, and in the third post, I describe my perspective on the whole thing, and some takeaways.

Continue reading →

Auditor Struggles, Part 4

This is Part 4 of a Case File series that describes how real auditors tried to apply questionable methods to auditing and data profiling. See Part 1, Part 2, Part 3.

Does the Process X team provide metrics around their process?” I asked.

“Yes,” the most senior auditor replied, showing me the web page where the Process X metrics were displayed.

After reviewing the page briefly, I said, “I see they do metrics by month. You have a year’s data; are you planning to understand how they prepare their metrics and re-calculate them to see if you get the same numbers?”

Continue reading →

Auditor Struggles, Part 3

This is Part 3 of a Case File series that describes how real auditors tried to apply questionable methods to auditing and data profiling. See Part 1 and Part 2.

I looked at the third page of the handout and asked, “What is this?”

“A list of Active Directory (AD) groups and the user IDs in each group. I searched AD for any group containing the system name,” the junior auditor said, “and identified these 6 groups. I then downloaded all the members of these groups from AD into Excel.”

Continue reading →

Auditor Struggles, Part 1

Some auditors struggle with basic auditing. So when these auditors try to data analysis, well you can imagines how that goes.

I recently met with a team of auditors to give them input on what data profiling would be appropriate to perform. And what analytics might be insightful.

This is Part 1 of a 4-part Case File series that describes how real auditors tried to apply questionable methods to auditing and data profiling. Do not try these methods at home or work. Don’t even dream about them, awake or asleep. 

Continue reading →

A Sneaky Way to Analyze IT Controls

When auditors need to identify and understand IT controls, they search the company intranet, review policies, look for Github repositories, review inventories, schedule meetings, and analyze IT asset data.

I stumbled on a better way to get insight into the IT controls in my company, and I didn’t have to email anyone, do any research, or frankly, anything outright. The IT controls came after me.

Fortunately, the IT controls were blind to the fact that I am an IT auditor. To them, I was just an ordinary bloke. But that didn’t last long (more on that later).

It Began a Few Years Back

It all started a couple years ago when I was building the infrastructure required to support our data analytic efforts in internal audit.

Continue reading →

Quote of the Weak – Clean Data Manually

If you are in IT, audit, or security (or any other job requiring data analysis), you should NOT be cleaning data manually.

Let me share a recent experience with you….

A young IT auditor texted me at work and asked for some Active Directory user account data that I capture automatically every week, using some scheduled ACL scripts.

If you’re not familiar with my ‘Quote of the Weak’ series, I described it briefly in About. For a list of posts in this series, see here.

Continue reading →