As an auditor, I am told all the time by the business that “we have a current project plan that is addressing that risk”, which implies that I shouldn’t waste everyone’s time writing up an audit issue regarding the problem.
It means that the risk isn’t as big as it appears.
The other day I was in a meeting to discuss a new analytics project and discovered the team had no end goal.
When the discussion started with the software to be used, I knew they were already off track.
It seems to me that auditing as a profession is not full of critical thinkers, much less thinkers.
If you read my last post about auditor judgment, I’m struggling with some of the junior auditors that I’m working with.
But I’m also struggling with quite a few of the senior auditors that I work with, those that are my peers (which means they peer at what I’m doing and how I’m doing it and then continue on their merry paths).
I came to this opinion based on most of the auditors I’ve met through the years across many companies, small and big, and across sectors, including public service. And also by the many articles calling for the profession to do more critical thinking, and yes, it is needed.
But let’s start with plain old thinking (walk before run).
If you’re a new IT auditor or want to become one, I’ve listed a number of my earlier posts for your consideration. If you’re an experienced auditor, here’s an overview of the profession through my eyes.
These posts will:
- Provide basic information regarding IT audit and security and links to other sources.
- Help you avoid some of the hidden pitfalls that control owners and auditors face.
- Give you ideas and approaches for some common and uncommon audits.
- Give you a few chuckles.
If you start at the top and read through each post, you’ll get a good taste of the positives and negatives of IT auditing. Since you can’t do it in one sitting, you could bookmark the list and work your way through it as you have time.
About a decade ago, I personally witnessed the handover of the simplest, cheapest, and most effective disaster recover plan ever.
Let me first give you a little background….
I worked for a great IT director, who moved to another company, much bigger, and brought me with him.
In the new company, he again was responsible for all IT, and he brought me along to manage security and disaster recovery.
If I named this company, at least 25% of you would recognize it, even those of you around the world–true story, too.
It finally happened: I fell prey to a phishing email.
I actually clicked a link.
At work, no less. Not good.
If you like Dilbert cartoons or big data, you might enjoy Dilbert’s adventures in data analysis, data mining, data privacy, security, and dealing with a dumb manager.
Over the years, I think that Skyyler and I have penned some pretty funny lines.
If you’re in the mood for some humor, read on and discover why these lines appeared in these posts.
Usually, we were making a serious point in a comical way.
And in unprotected documents.
Lots of passwords. Lots of documents. Lots of easy access.
If you’re in the mood for auditor humor (is that an oxymoron?), the IIA’s Mike Jacka has something for you.
While commenting on AuditMonkey’s blog, I noted that because companies often don’t do the right thing, auditing is a noble profession.
Mainly because we can right some of those wrongs.
Then I said…
If you need to read about how to be an irritating auditor, you obviously haven’t been auditing very long. According to most auditees, that quality comes with the territory, right? I hope not!
Here’s my list of the top 10 reasons to be an IT auditor:
10. You have access to all systems, data, and people (with a business reason, of course). Employees rarely ignore you.
9. You can uncover fraud, mischief, ignorance, and just plain laziness. Either way, you “add value to the business” (yeah, I hate that term too, but it is what audit is about, and so appropriate).
I recently found a Sarbanes-Oxley (SOX) Space Lazer (sic) on a network security diagram. No kidding. The following items also appeared:
- Interstate 495
- Wang 5000
- Peanut butter
- Printer of evil
- Gene Hackman
- Automated Retirement Party Flyer Generation Appliance
May is Audit Awareness Month, so if you want to host an event to promote audit at your organization, you’re short on time.
I wrote about this last year, and all the links on that post are still good, so see May = Audit Awareness Month for ideas.
Hey, I’m recycling last year’s post, so this must be a GREEN blog!
If you have any idea of who Bruce Schneier is, you have to check out http://www.schneierfacts.com/. It is useless funny facts about Bruce a la Chuck Norris. Try not to LOL.
I found some really pathetic password help pages on a company’s intranet while I was there visiting.
This is a large company that most people would recognize, and it is subject to plenty of government regulations. Overall, I’ve heard the security is pretty tight, but since I’ve never worked there, I can’t speak from experience. Except, that is, the experience I mentioned in an earlier post, Randomly Generate Weak Passwords. Perhaps all their security is what Bruce Schneier likes to call “security theater.”
I was in a hurry, trying to print out a bridal registry list from a kiosk in a well-known store. I punched in the bride’s name and the list popped up. I pressed the PRINT button on the screen. The first page appeared as expected, but then things became a little more interesting.
I found a great graphic that documents the main steps in a typical IT audit. If you don’t find this funny, please tell me why. Check it out here.
Back in September, two audit groups shook hands…
IIA and ISACA signed a formal memorandum of understanding (MOU), which means they’ll scratch each others’ back. The IIA’s president, Richard Chambers, explains what it means for the future in his blog.
Notice that both CEOS are listed at the bottom of the memo and that one of them is void of certifications…
I was at a client’s site looking for more contract work when the manager of the department started telling me about their great IT security website on their Intranet. She clicks on their random generator password page and shows me how you can generate a block of “approved” passwords, sanctioned by their security department. At the top of the page, a banner read: Select a Strong Password!
Remember my post about the High Cost of 401K Accounts? My blog must have a wider reach than I realize, because someone at the trust company took my advice, and I received a check in the mail.
Whether you’re new to this blog or not, you might have missed a few good posts. Here’s some links and short descriptions.
Schneier’s Security Trade-offs – Security expert Bruce Schneier’s 5 questions for assessing the security process of anything.
Some people do not understand that both diamonds and the Internet are forever. I found this statement in a discussion on LinkedIn:
I am excited about 2 interviews next week even though I’m not fully qualified for either one.
Who thinks the IIA is stuffy? No one, if Mike Jacka has anything to say about it…
A song to be sung to auditees…
I landed on KAUDITOR’s Auditing and Accounting blog and found this joke:
Kenny, an accountant, who just joined the big 4, was having a hard time sleeping and goes to see his private doctor. “Doctor, I just can’t get to sleep at night.”
A colleague of mine is doing some testing for an audit director that changes her mind frequently on how to deal with audit findings. Occasionally, she is all about nailing control owners who do not have all their ducks groomed and in a row. At other times, she pushes Audit to work as hard as possible to pass all controls.
A friend of mine heard this one and passed it on to me:
Auditors are those who get to the battlefield after the war is over and stab the wounded.
Thanks to TycoonBlogger (my favorite “blogging” blogger), I finally know what this blog is about.
Based on his Find out your blog’s personality type post, I found and ran the Typealyzer tool against my blog. It analyzes a blog and provides its Myers- Briggs Type. Here’s what it said about this blog:
The analysis indicates that the author of https://itauditsecurity.wordpress.com/ is of the type:
During the Olympics, an advertisement for a medication for treating major depressive disorder (MDD) caught my attention. It aired appropriately after I became depressed that Apollo Ohno was disqualified in the speed skating short track:
Yesterday was one of those days where the clock just spins, you get a lot done, and nothing out of the ordinary occurs. You have some meetings, dig into the data, and identify a finding, do a little more research, and fire off an email to get an explanation from the control owner.
After my quip about some auditors write more like e. e. cummings than auditors, I recalled my favorite poem of his. With apologies to cummings, I recast it into auditor worldspeak.
auditor lived in a pretty hard town
(with up so floating many tests down)
spring summer autumn winter
he sang his pass he danced his fail
I was excited to see the annual 401K statement from one of my former employers had arrived. I was expecting a high return on my current investment, just like last year.
Sure enough, the return was exponential. I smiled, but the smile soon turned into deep laughter.
I was checking out the latest post of my new blogger colleague from London, Audit Monkey, and read the following….
I’m sitting here in reflective mood thinking what the ‘Top 10′ worst possible jobs could be. Here’s my list.
The Life of an Auditor blog has this resignation letter, supposedly left by a PWC auditor, on that fateful last day. Whether it’s real or fictional, some days are really like this, aren’t they?
Check it out:
As many of you now know this friday will be my last day with PwC so I wanted to say good bye and thank you for everything. My decision to leave was not a snap decision as it may have seemed but a well thought out process.
I was reviewing my blog stats and noticed that posts regarding employment and interviewing were my all-time most popular posts. At first, this surprised me, but as I thought about the economy and how many people (including myself) were laid off, it made sense. Here’s my most popular posts to-date:
A few weeks ago, I did several phone interviews and concluded that no abundance of skilled IT auditors are looking for jobs these days.
First, isn’t the purpose of the interview to determine what a person’s experience is, and whether that experience is a good match for the position? At least 3 of the interviewees provided negative information about themselves unexpectedly:
An example of a serious office policy failure…
SAN JOSE, Calif. — An office worker cleaning a refrigerator full of rotten food created a smell so noxious that it sent seven co-workers to the hospital and made many others ill.
Bruce Schneier’s Blowfish encryption algorithm was mangled again on the Fox show 24. According to Schneier’s Crypto-Gram blog, the show claims that Schneier put a backdoor in the algorithm. Based on reader comments on the Crypto-Gram blog, people will believe anything said on TV (or posted on the ‘net).
15 pictures from Google Earth (GE) showcases the power of GE, and the images are indeed interesting. NOTE: Evidently these pics were removed – Mack
Seven images show the Firefox browser circle cut into a crop field (UFO style) and other large-scale animals and objects. The slide show includes commentary and the coordinates of each image. If you’re in a hurry, I recommend images 5 through 10.