Tag Archives: auditor

New IT Auditors Should Start Here

new-auditorIf you’re a new IT auditor or want to become one, I’ve listed a number of my earlier posts for your consideration. If you’re an experienced auditor, here’s an overview of the profession through my eyes.

These posts will:

  1. Provide basic information regarding IT audit and security and links to other sources.
  2. Help you avoid some of the hidden pitfalls that control owners and auditors face.
  3. Give you ideas and approaches for some common and uncommon audits.
  4. Give you a few chuckles.

If you start at the top and read through each post, you’ll get a good taste of the positives and negatives of IT auditing. Since you can’t do it in one sitting, you could bookmark the list and work your way through it as you have time.

Continue reading

15 Comments

Filed under Audit, Certification, Employment, Excel, Free, How to..., Humor/Irony, Technology

Hiring Auditors Who Can Think

Nthinkorman Marks, of the Institute of Internal Auditors, likes to hire auditors who can think.

You should too.

How does he do it?

Continue reading

5 Comments

Filed under Audit, Employment, How to...

Jacka’s Most Interesting and Geeky Auditor

If you’re in the mood for auditor humor (is that an oxymoron?), the IIA’s Mike Jacka has something for you.

Continue reading

1 Comment

Filed under Audit, Humor/Irony

CISA vs. CIA Certification

cisa study guide, tipsIf you’re an IT auditor (or want to be one) and don’t have any audit certifications, which certification should you get, the CISA or the CIA? If you want to get both, which one do you get first?

Full disclosure: I have the CISA, but not the CIA. Back when the CIA was 4 exams, I studied for all the CIA exams except the financial exam, but ended up not taking any of the exams. I also have the CISSP.

Continue reading

172 Comments

Filed under Audit, Certification, Security, Technology

Plan to Test the Test Plan

Always test the test plan and make sure it actually tests the control or risk being assessed. And make sure the tester (especially when you are observing the tester rather than performing the test yourself) actually follows the test plan.

During a segregation of duties (SOD) test for an expense report approval system, an auditor was observing a client perform a test.  The client was supposed to enter his user ID into the Approver field to demonstrate that he could not approve his own expense report.

Continue reading

2 Comments

Filed under Audit

How to Kill an Auditor

You can kill an auditor in 10 easy steps. If you’re a manager, it’s even easier. Here’s how:

1. Insist that all periods are followed by 2 spaces. Those days are long gone and so are typewriters. But some managers who review workpapers still insist on this. No kidding!

A little help for non-auditors: a workpaper describes 1) the control being tested, 2) the steps used to select samples and perform the test, 3) the evidence gathered and how it was analyzed, 4) the conclusion, and if the test failed, usually 5) a broad recommendation of what might be done to resolve it.

2. When reviewing workpapers electronically, question an obvious mistake instead of correcting it. For example, I numbered my test steps 1, 2, 3, 5. Just fix it and move on. Don’t waste your time and mine writing things like “is this number correct?” and then sending it back to me to fix it, especially when it’s the only correction in the workpaper. Just fix it! If multiple errors exist, say something to me or send it back and ask me to review all numbers and references.  By pointing out a single error, you are wasting shareholder dollars. I sure hope you feel better now!

Continue reading

10 Comments

Filed under Audit, How to..., Written by Skyyler

More on Hating Auditors

Previously I’ve discussed why auditors are hated and how auditors can be lovable. But when I saw a Q & A in the ISACA journal about hating auditors, I had to dive in again.  Here’s the gist of the article, with my comments in italics. Although there’s some similarity to the posts I’ve mentioned above, they take a slightly different tack through the audit seas.

Auditors that do the following are “hated”…

Continue reading

4 Comments

Filed under Audit

Top 10 Ways to be a Lovable Auditor

A while back, I noted some reasons why people hate auditors. Well, you can hop those hurdles, and be an auditor that people love or at least respect. Here’s how:

Continue reading

3 Comments

Filed under Audit, How to..., Top 10

Bank No Longer Invites Hackers In

Remember the Security Scout adventure where I roamed the basement of a major bank and found questionable security issues? If you missed it or need a refresher, read Major Bank Invites Hackers In?

Guess what happened at the bank?

Continue reading

2 Comments

Filed under Audit, Security, Security Scout

Sheepish Big 4 Joke

I landed on KAUDITOR’s Auditing and Accounting blog and found this joke:

Kenny, an accountant, who just joined the big 4, was having a hard time sleeping and goes to see his private doctor. “Doctor, I just can’t get to sleep at night.”

Continue reading

Leave a comment

Filed under Humor/Irony

SANS Audit Checklists

The SANS Audit Advice and Resources* website has a free checklists section:

6 VMWare Settings Every IT Auditor Should Know About

5 Things Every IT Auditor Needs to Know About: SSH Configuration

Continue reading

Leave a comment

Filed under Audit, Security

PWC Resignation Letter

The Life of an Auditor blog has this resignation letter, supposedly left by a PWC auditor, on that fateful last day. Whether it’s real or fictional, some days are really like this, aren’t they?

Check it out:

As many of you now know this friday will be my last day with PwC so I wanted to say good bye and thank you for everything. My decision to leave was not a snap decision as it may have seemed but a well thought out process.

Continue reading

3 Comments

Filed under Audit, Humor/Irony

Why Hate Auditors?

If you’re an auditor, you’re most likely not the most popular person around, at least in most companies. Unfortunately, auditors are hated (I don’t think that’s too strong a word in some circles) for a number of reasons, as noted below. Fortunately, most of them are avoidable.

  • SOX is a waste of time. For most auditees, SOX takes a lot of valuable time away from accomplishing the “real work” of keeping the business running. When you hear this complaint, it usually means one or more of the following is true: Continue reading

2 Comments

Filed under Audit

Bad Interviews Qs

I’m still thinking about the IT auditor interviews I did recently. Not only did I get frustrated with the interviewees, I struggled with my co-interviewers. I not only thought some of their questions were poor, but they branded me a “tough interviewer.”

Continue reading

5 Comments

Filed under Audit, Employment

Interviewing IT Auditors

A few weeks ago, I did several phone interviews and concluded that no abundance of skilled IT auditors are looking for jobs these days.

First, isn’t the purpose of the interview to determine what a person’s experience is, and whether that experience is a good match for the position? At least 3 of the interviewees provided negative information about themselves unexpectedly:

Continue reading

10 Comments

Filed under Audit, Employment, Humor/Irony

Attackers Don’t Help Companies, PCI Does

Is PCI still relevant? Some are proclaiming that PCI is irrelevant due to the recent, high-profile breaches. David Mortman disagrees, and I’m on his side.

Continue reading

Leave a comment

Filed under Audit, Security