Critical Thinking? How about just Thinking?

It seems to me that auditing as a profession is not full of critical thinkers, much less thinkers.

If you read my last post about auditor judgment, I’m struggling with some of the junior auditors that I’m working with.

But I’m also struggling with quite a few of the senior auditors that I work with, those that are my peers (which means they peer at what I’m doing and how I’m doing it and then continue on their merry paths).

I came to this opinion based on most of the auditors I’ve met through the years across many companies, small and big, and across sectors, including public service. And also by the many articles calling for the profession to do more critical thinking, and yes, it is needed. 

But let’s start with plain old thinking (walk before run).

Continue reading →

Quote of the Weak – Auditor Judgment

We recently acquired a new data analysis tool in our department, which prompted some of our newbie auditors to share their misunderstanding of auditor judgment and basic data analysis.

A group of less experienced and newer auditors were selected to try out the new tool before it was rolled out department-wide.

 If you’re not familiar with my ‘Quote of the Weak’ series, I described it briefly in About. For a list of posts in this series, see here. If you haven’t seen one of these posts before, it’s because I haven’t had one in a while…

Continue reading →

New IT Auditors Should Start Here

If you’re a new IT auditor or want to become one, I’ve listed a number of my earlier posts for your consideration. If you’re an experienced auditor, here’s an overview of the profession through my eyes.

These posts will:

1. Provide basic information regarding IT audit and security and links to other sources.
2. Help you avoid some of the hidden pitfalls that control owners and auditors face.
3. Give you ideas and approaches for some common and uncommon audits.
4. Give you a few chuckles.

If you start at the top and read through each post, you’ll get a good taste of the positives and negatives of IT auditing. Since you can’t do it in one sitting, you could bookmark the list and work your way through it as you have time.

Continue reading →

The Simplest, Cheapest, and Most Effective Disaster Recovery Plan Ever

About a decade ago, I personally witnessed the handover of the simplest, cheapest, and most effective disaster recover plan ever.

Let me first give you a little background….

I worked for a great IT director, who moved to another company, much bigger, and brought me with him.

In the new company, he again was responsible for all IT, and he brought me along to manage security and disaster recovery.

If I named this company, at least 25% of you would recognize it, even those of you around the world–true story, too.

Continue reading →

Mack Falls Prey to Phishing Email

It finally happened: I fell prey to a phishing email.

I actually clicked a link.

At work, no less. Not good.

Continue reading →

Dilbert Does Big Data

If you like Dilbert cartoons or big data, you might enjoy Dilbert’s adventures in data analysis, data mining, data privacy, security, and dealing with a dumb manager.

Continue reading →

How to Describe What an IT Auditor Does?

If you’re an IT auditor, how do you describe your job to those who don’t understand technology or auditing? Even more interesting, how do others describe your activities?

Here’s what I say, but I’m not satisfied with it:

I review computer systems and networks to determine whether they are secure and that access to those systems is limited to the appropriate people.

I review the policies and procedures that describe how those systems are used and determine whether those documents make sense, are up-t0-date, and are followed.

Continue reading →

Quotes of the Weak (NOT)

Over the years, I think that Skyyler and I have penned some pretty funny lines.

If you’re in the mood for some humor, read on and discover why these lines appeared in these posts.

Usually, we were making a serious point in a comical way.

Continue reading →

SONY stored Passwords in Password Directory

And in unprotected documents.

Lots of passwords. Lots of documents. Lots of easy access.

Continue reading →

Jacka’s Most Interesting and Geeky Auditor

If you’re in the mood for auditor humor (is that an oxymoron?), the IIA’s Mike Jacka has something for you.

Continue reading →

Auditing is a Noble Profession

While commenting on AuditMonkey’s blog, I noted that because companies often don’t do the right thing, auditing is a noble profession.

Mainly because we can right some of those wrongs.

Then I said…

Continue reading →

How to be an Irritating Auditor

If you need to read about how to be an irritating auditor, you obviously haven’t been auditing very long. According to most auditees, that quality comes with the territory, right? I hope not!

Continue reading →

Top 10 Reasons to be an IT Auditor

Here’s my list of the top 10 reasons to be an IT auditor:

10. You have access to all systems, data, and people (with a business reason, of course). Employees rarely ignore you.

9. You can uncover fraud, mischief, ignorance, and just plain laziness. Either way, you “add value to the business” (yeah, I hate that term too, but it is what audit is about, and so appropriate).

Continue reading →

Stinkin Thinkin Reboot

Recently I was having a problem with my phone connecting to another device, and I tried almost everything, including reconfiguring my phone and the other device. Finally, I decided to reboot my phone, and suddenly my phone connected. Perhaps the device configuration + phone reboot was what it needed, but I now wonder if the phone reboot alone would have done the trick and saved me a lot of unnecessary work. The problem is, I won’t know unless it happens again.

Continue reading →

Security Diagram and SOX Space Lazer

I recently found a Sarbanes-Oxley (SOX) Space Lazer (sic) on a network security diagram. No kidding. The following items also appeared:

• Interstate 495
• Wang 5000
• Batphone
• Peanut butter
• Printer of evil
• Gene Hackman
• Automated Retirement Party Flyer Generation Appliance

Continue reading →

May –> Audit Awareness Month

May is Audit Awareness Month, so if you want to host an event to promote audit at your organization, you’re short on time.

I wrote about this last year, and all the links on that post are still good, so see May = Audit Awareness Month for ideas.

Hey, I’m recycling last year’s post, so this must be a GREEN blog!

Bruce Schneier Useless Fun Facts

If you have any idea of who Bruce Schneier is, you have to check out http://www.schneierfacts.com/. It is useless funny facts about Bruce a la Chuck Norris. Try not to LOL.

Continue reading →

Stupid Spam Comments 2

Like most bloggers, I get really stupid spam comments. Fortunately, the spam filter or widget, Akismet, has caught everyone one I’ve received so far. As a result of the filter, I was able to make my blog more comment-friendly (I’d love to tell you all about it, but that would only invite more spam, and I like bacon a bit more).

Continue reading →

Pathethic Password Help Pages

I found some really pathetic password help pages on a company’s intranet while I was there visiting.

This is a large company that most people would recognize, and it is subject to plenty of government regulations. Overall, I’ve heard the security is pretty tight, but since I’ve never worked there, I can’t speak from experience. Except, that is, the experience I mentioned in an earlier post, Randomly Generate Weak Passwords. Perhaps all their security is what Bruce Schneier likes to call “security theater.”

Continue reading →

You May Kiosk the Bride

I was in a hurry, trying to print out a bridal registry list from a kiosk in a well-known store. I punched in the bride’s name and the list popped up. I pressed the PRINT button on the screen. The first page appeared as expected, but then things became a little more interesting.

Continue reading →

Diagram of Typical IT Audit

I found a great graphic that documents the main steps in a typical IT audit. If you don’t find this funny, please tell me why. Check it out here.

Continue reading →

IIA and ISACA Synergies

Back in September, two audit groups shook hands…

IIA and ISACA signed a formal memorandum of understanding (MOU), which means they’ll scratch each others’ back. The IIA’s president, Richard Chambers, explains what it means for the future in his blog.

Notice that both CEOS are listed at the bottom of the memo and that one of them is void of certifications…

Randomly Generate Weak Passwords

I was at a client’s site looking for more contract work when the manager of the department started telling me about their great IT security website on their Intranet. She clicks on their random generator password page and shows me how you can generate a block of “approved” passwords, sanctioned by their security department. At the top of the page, a banner read: Select a Strong Password!

Continue reading →

More on Spamming Blogs

I just found a great spam comment in my Akismet filter. Check it out in Blogging: Spammers under the heading, Update 3 — 8/7/10.

401K Woes Resolved

Remember my post about the High Cost of 401K Accounts? My blog must have a wider reach than I realize, because someone at the trust company took my advice, and I received a check in the mail.

Continue reading →

A Few Good Posts

Whether you’re new to this blog or not, you might have missed a few good posts. Here’s some links and short descriptions.

Schneier’s Security Trade-offs – Security expert Bruce Schneier’s 5 questions for assessing the security process of anything.

Continue reading →

Quote of the Weak (Unqualified Opinion)

Some people do not understand that both diamonds and the Internet are forever. I found this statement in a discussion on LinkedIn:

I am excited about 2 interviews next week even though  I’m not fully qualified for either one.

Continue reading →

Tribute to Willy Wonka

Who thinks the IIA is stuffy? No one, if Mike Jacka has anything to say about it…

A song to be sung to auditees…

Continue reading →

Sheepish Big 4 Joke

I landed on KAUDITOR’s Auditing and Accounting blog and found this joke:

Kenny, an accountant, who just joined the big 4, was having a hard time sleeping and goes to see his private doctor. “Doctor, I just can’t get to sleep at night.”

Continue reading →

Quote of the Weak (Pass the control)

A colleague of mine is doing some testing for an audit director that changes her mind frequently on how to deal with audit findings. Occasionally, she is all about nailing control owners who do not have all their ducks groomed and in a row. At other times, she pushes Audit to work as hard as possible to pass all controls.

Continue reading →

Quote of the Weak (Stab the Wounded)

A friend of mine heard this one and passed it on to me:

Auditors are those who get to the battlefield after the war is over and stab the wounded.

Continue reading →

This is a Mechanics Blog!

Thanks to TycoonBlogger (my favorite “blogging” blogger), I finally know what this blog is about.

Based on his Find out your blog’s personality type post, I found and ran the Typealyzer tool against my blog. It analyzes a blog and provides its Myers- Briggs Type. Here’s what it said about this blog:

The analysis indicates that the author of https://itauditsecurity.wordpress.com/ is of the type:

Continue reading →

Quote of the Weak (Children under 18)

During the Olympics, an advertisement for a medication for treating major depressive disorder (MDD) caught my attention. It aired appropriately after I became depressed that Apollo Ohno was disqualified in the speed skating short track:

Continue reading →

How was your day?

Yesterday was one of those days where the clock just spins, you get a lot done, and nothing out of the ordinary occurs. You have some meetings, dig into the data, and identify a finding, do a little more research, and fire off an email to get an explanation from the control owner.

Continue reading →

auditor lived in a pretty hard town

After my quip about some auditors write more like e. e. cummings than auditors, I recalled my favorite poem of his. With apologies to cummings, I recast it into auditor worldspeak.

auditor lived in a pretty hard town
(with up so floating many tests down)
spring summer autumn winter
he sang his pass he danced his fail

Continue reading →