Abandon ACL and Others, Part 2

This post is in response to Xavier and Grant, who were kind enough to push back a bit on a previous post, Abandon ACL and Others? See their comments on that post.

I will respond to some of their points and reveal some more of my thinking as to why I believe that auditors need to become a LOT more technical.

Some may think I am just digging my hole a little deeper, but I’ve always loved the journey.

Continue reading →

Advertisement

Response to ‘ChatGPT Analyzes Internal Audit!’

This post contains my response to my earlier post, ChatGPT Analyzes Internal Audit!

First of all, most of the article sounded like it was written by external auditors; it sounds important, but really doesn’t say much.

Continue reading →

IIA Analytics Article Dead Wrong

A recent IIA article on building an analytics function in internal audit is dead wrong.

At least on one major point, anyway. And it’s a big one.

As the tombstone reads, this point is D.O.A (dead on arrival, or more specifically, dead on analytics).

The article, Building a data analytics program, requires IIA membership to view, and is located at https://iaonline.theiia.org/2017/Pages/Building-a-Data-Analytics-Program.aspx (that’s actually good, as it means a lot fewer people will ever read it).

Continue reading →

New IT Auditor (and WannaBEs) Master List

Here’s a list of all my posts to-date related to becoming or growing as an IT Auditor, all in one place for easy reference.
I’ll add other posts as they are written.

Continue reading →

Auditors, Do Data Analytics or Die

If you’re an auditor, you need data analytic skills or you will die.

Or put another way, if you don’t acquire them in the next 1-5 years, you will no longer be an auditor.

Pretty bold statement, isn’t it?

Continue reading →

Hiring Auditors Who Can Think

Norman Marks, of the Institute of Internal Auditors, likes to hire auditors who can think.

You should too.

How does he do it?

Continue reading →

How to be an Irritating Auditor

If you need to read about how to be an irritating auditor, you obviously haven’t been auditing very long. According to most auditees, that quality comes with the territory, right? I hope not!

Continue reading →

CISA vs. CIA Certification

If you’re an IT auditor (or want to be one) and don’t have any audit certifications, which certification should you get, the CISA or the CIA? If you want to get both, which one do you get first?

Full disclosure: I have the CISA, but not the CIA. Back when the CIA was 4 exams, I studied for all the CIA exams except the financial exam, but ended up not taking any of the exams. I also have the CISSP.

Continue reading →

Audit and IT Audit for Dummies

Here’s some links for Audit and IT Audit for dummies, one from the IIA, the other from ISACA. Most of them do not require being a member or logging in.

While these articles are not extensive, they will point new auditors in the right direction, and provide a refresher for the rest of us. Continue reading →

May –> Audit Awareness Month

May is Audit Awareness Month, so if you want to host an event to promote audit at your organization, you’re short on time.

I wrote about this last year, and all the links on that post are still good, so see May = Audit Awareness Month for ideas.

Hey, I’m recycling last year’s post, so this must be a GREEN blog!

IIA and ISACA Synergies

Back in September, two audit groups shook hands…

IIA and ISACA signed a formal memorandum of understanding (MOU), which means they’ll scratch each others’ back. The IIA’s president, Richard Chambers, explains what it means for the future in his blog.

Notice that both CEOS are listed at the bottom of the memo and that one of them is void of certifications…

IIA Basics for Auditors

The  Institute of Internal Auditors (IIA) has back-to-basics articles for new auditors (and like Dummies books, the topics can be a reference for the rest of us). Even security pros might want to read a few of these to better understand their auditors, or how those auditors should be doing their jobs.

The topics are as follows (no special order):

Continue reading →

May = Audit Awareness Month

Did you know that it’s Internal Auditing Awareness Month? More importantly, do you care?

If so, check out this IIA website for ideas, tools, and resources for promoting an internal audit group near you.

Continue reading →

Tribute to Willy Wonka

Who thinks the IIA is stuffy? No one, if Mike Jacka has anything to say about it…

A song to be sung to auditees…

Continue reading →

Standard (Snake) Oil

I’m getting discouraged. I’m starting to wonder how many audit departments follow auditing standards, say, from IIA or ISACA. After some of the IT audits and IT SOX audits I’ve seen in the past year, who knows.

Some companies take their control owner words as gold and don’t verify them.

“They wouldn’t give you the information if it wasn’t true! Audit the evidence you’re given and quit questioning everything!” said one audit director. Excuse me, but doesn’t ISACA requires auditors to maintain their professional skepticism. Perhaps ISACA means be skeptical of audit directors?

Continue reading →

90’s High 5 for Auditors

Richard Chambers, the president and CEO of the IIA, noted 5 defining events and their impact on internal auditing in the 90’s decade.

1. Adoption of the Professional Practices Framework (2002)
2. Financial Fraud and the Ensuing Corporate Failures (2002)
3. Cynthia Cooper Named a Time Magazine “Person of the Year” (2002) – whistleblower at WorldCom (I had to look it up myself)
4. Release of The PCAOB’s Auditing Standard Number 2 (2004) – which was then superseded by AS 5
5. Global Economic Crisis (2008-2009)

Catch all his comments here. I think #2 is going to keep occurring with surprising regularity.