If you’re a new IT auditor or want to become one, I’ve listed a number of my earlier posts for your consideration. If you’re an experienced auditor, here’s an overview of the profession through my eyes.
These posts will:
- Provide basic information regarding IT audit and security and links to other sources.
- Help you avoid some of the hidden pitfalls that control owners and auditors face.
- Give you ideas and approaches for some common and uncommon audits.
- Give you a few chuckles.
If you start at the top and read through each post, you’ll get a good taste of the positives and negatives of IT auditing. Since you can’t do it in one sitting, you could bookmark the list and work your way through it as you have time.
Norman Marks, of the Institute of Internal Auditors, likes to hire auditors who can think.
You should too.
How does he do it?
If you’re in the mood for auditor humor (is that an oxymoron?), the IIA’s Mike Jacka has something for you.
If you’re an IT auditor (or want to be one) and don’t have any audit certifications, which certification should you get, the CISA or the CIA? If you want to get both, which one do you get first?
Full disclosure: I have the CISA, but not the CIA. Back when the CIA was 4 exams, I studied for all the CIA exams except the financial exam, but ended up not taking any of the exams. I also have the CISSP.
You can kill an auditor in 10 easy steps. If you’re a manager, it’s even easier. Here’s how:
1. Insist that all periods are followed by 2 spaces. Those days are long gone and so are typewriters. But some managers who review workpapers still insist on this. No kidding!
A little help for non-auditors: a workpaper describes 1) the control being tested, 2) the steps used to select samples and perform the test, 3) the evidence gathered and how it was analyzed, 4) the conclusion, and if the test failed, usually 5) a broad recommendation of what might be done to resolve it.
2. When reviewing workpapers electronically, question an obvious mistake instead of correcting it. For example, I numbered my test steps 1, 2, 3, 5. Just fix it and move on. Don’t waste your time and mine writing things like “is this number correct?” and then sending it back to me to fix it, especially when it’s the only correction in the workpaper. Just fix it! If multiple errors exist, say something to me or send it back and ask me to review all numbers and references. By pointing out a single error, you are wasting shareholder dollars. I sure hope you feel better now!
Previously I’ve discussed why auditors are hated and how auditors can be lovable. But when I saw a Q & A in the ISACA journal about hating auditors, I had to dive in again. Here’s the gist of the article, with my comments in italics. Although there’s some similarity to the posts I’ve mentioned above, they take a slightly different tack through the audit seas.
Auditors that do the following are “hated”…
A while back, I noted some reasons why people hate auditors. Well, you can hop those hurdles, and be an auditor that people love or at least respect. Here’s how:
Remember the Security Scout adventure where I roamed the basement of a major bank and found questionable security issues? If you missed it or need a refresher, read Major Bank Invites Hackers In?
Guess what happened at the bank?
I landed on KAUDITOR’s Auditing and Accounting blog and found this joke:
Kenny, an accountant, who just joined the big 4, was having a hard time sleeping and goes to see his private doctor. “Doctor, I just can’t get to sleep at night.”
Filed under Audit, Security
The Life of an Auditor blog has this resignation letter, supposedly left by a PWC auditor, on that fateful last day. Whether it’s real or fictional, some days are really like this, aren’t they?
Check it out:
As many of you now know this friday will be my last day with PwC so I wanted to say good bye and thank you for everything. My decision to leave was not a snap decision as it may have seemed but a well thought out process.
If you’re an auditor, you’re most likely not the most popular person around, at least in most companies. Unfortunately, auditors are hated (I don’t think that’s too strong a word in some circles) for a number of reasons, as noted below. Fortunately, most of them are avoidable.
- SOX is a waste of time. For most auditees, SOX takes a lot of valuable time away from accomplishing the “real work” of keeping the business running. When you hear this complaint, it usually means one or more of the following is true: Continue reading
I’m still thinking about the IT auditor interviews I did recently. Not only did I get frustrated with the interviewees, I struggled with my co-interviewers. I not only thought some of their questions were poor, but they branded me a “tough interviewer.”
A few weeks ago, I did several phone interviews and concluded that no abundance of skilled IT auditors are looking for jobs these days.
First, isn’t the purpose of the interview to determine what a person’s experience is, and whether that experience is a good match for the position? At least 3 of the interviewees provided negative information about themselves unexpectedly:
Is PCI still relevant? Some are proclaiming that PCI is irrelevant due to the recent, high-profile breaches. David Mortman disagrees, and I’m on his side.
Filed under Audit, Security