Some Chief Audit Executives (CAEs) and audit managers tend to think that audit automation is a set-it-and-forget-it process. NOT.
In this post, I want to expand on a problem I mentioned in an earlier post , 10 Signs Mgmt Doesn’t Really Support Analytics.
Audit management too often thinks that once a process or an audit is automated, ALL auditor/staff hours previously spent performing that process can be reassigned elsewhere.
That is not the case at all.
Whether you script your projects or use menu commands, you need to review your ACL log carefully.
Good analysts review their results and the log as they work in ACL, after they think they are done, and have others review their log before the ACL project is relied upon.
(You can’t imagine the dumb mistakes my team and I found that saved us a lot of embarrassment later.)
Poor testing and a seemingly simple process conspired against me when I tried to make 36 delicious cups of coffee.
Since I make coffee every morning in my own unit at home, and the instructions were posted next to the coffee maker, I was confident.
But I had never made that many cups of coffee or used a commercial coffee maker. And this machine had a thermos-like carafe that held the coffee and kept it hot.
The instructions said the first step was to turn the coffee maker on. It went down the drain from there.
I found some really pathetic password help pages on a company’s intranet while I was there visiting.
This is a large company that most people would recognize, and it is subject to plenty of government regulations. Overall, I’ve heard the security is pretty tight, but since I’ve never worked there, I can’t speak from experience. Except, that is, the experience I mentioned in an earlier post, Randomly Generate Weak Passwords. Perhaps all their security is what Bruce Schneier likes to call “security theater.”
Greg Shipley, founder of Neohapsis, wrote an article in Information Week magazine, this time about how ineffective most of the money spent on security defenses is against the attacks we’re facing. It’s not a short article, but as I’ve said before, Shipley is always worth reading. Here’s what I found most interesting in the article:
- “Deficiencies, even in our security technologies, are an unfortunate fact of life,” says Shipley.
A colleague of mine is doing some testing for an audit director that changes her mind frequently on how to deal with audit findings. Occasionally, she is all about nailing control owners who do not have all their ducks groomed and in a row. At other times, she pushes Audit to work as hard as possible to pass all controls.