New IT Auditor (and WannaBEs) Master List

Here’s a list of all my posts to-date related to becoming or growing as an IT Auditor, all in one place for easy reference.
I’ll add other posts as they are written.

Continue reading →

Auditors, Do Data Analytics or Die

If you’re an auditor, you need data analytic skills or you will die.

Or put another way, if you don’t acquire them in the next 1-5 years, you will no longer be an auditor.

Pretty bold statement, isn’t it?

Continue reading →

FREE CISA Exam Practice Questions

If you’re looking for FREE practice questions for the CISA exam, I found a good resource.

The site provides over 900 questions for you to test yourself.

Continue reading →

CISSP isn’t as technical anymore

---

Several of my friends passed the CISSP exam recently, and told me that it isn’t as technical as I told them it would be.

They said it was more of a security manager certification.

Continue reading →

Free CISA Prep: Self-Assessment Exam

If you’re planning to take the CISA exam, you need to take ISACA‘s own CISA Self-Assessment exam (get it here).

The exam consists of 50 questions that allow exam candidates to “assess their knowledge of the CISA job practice areas and determine in which information security areas they may have strengths and weaknesses.”

Continue reading →

Why CISSP?

This post answers these questions: Why get the CISSP certification? What has it done for me? What else do I need to know?

Charles, one of my readers, asked me, “Do you have postings related to CISSP?” Not many, but here’s one….

Continue reading →

FREE CISA Glossary

ISACA has a free glossary of IT, audit, and security terms that is not only helpful in studying for the CISA exam, but is a good reference guide for new and experienced auditors.

Continue reading →

CISA vs. CIA Certification

If you’re an IT auditor (or want to be one) and don’t have any audit certifications, which certification should you get, the CISA or the CIA? If you want to get both, which one do you get first?

Full disclosure: I have the CISA, but not the CIA. Back when the CIA was 4 exams, I studied for all the CIA exams except the financial exam, but ended up not taking any of the exams. I also have the CISSP.

Continue reading →

Audit and IT Audit for Dummies

Here’s some links for Audit and IT Audit for dummies, one from the IIA, the other from ISACA. Most of them do not require being a member or logging in.

While these articles are not extensive, they will point new auditors in the right direction, and provide a refresher for the rest of us. Continue reading →

FREE CISA Study Guide

When I was studying for the CISA, I created a 40-page study guide for myself that you can download for free.

If you decide to use it, here’s a couple points to keep in mind:

Continue reading →

More on Hating Auditors

Previously I’ve discussed why auditors are hated and how auditors can be lovable. But when I saw a Q & A in the ISACA journal about hating auditors, I had to dive in again.  Here’s the gist of the article, with my comments in italics. Although there’s some similarity to the posts I’ve mentioned above, they take a slightly different tack through the audit seas.

Auditors that do the following are “hated”…

Continue reading →

IIA and ISACA Synergies

Back in September, two audit groups shook hands…

IIA and ISACA signed a formal memorandum of understanding (MOU), which means they’ll scratch each others’ back. The IIA’s president, Richard Chambers, explains what it means for the future in his blog.

Notice that both CEOS are listed at the bottom of the memo and that one of them is void of certifications…

More on the CisA Exam

This topic will be assorted rambles and comments regarding what I now call the “CisA” exam. Check out this post that started it all:  Where is the IS in CISA?

Continue reading →

Where is the IS in CISA?

Why do so many IT auditors who pass the CISA know so little about IS and security–and in my opinion aren’t worth hiring* for that and several other reasons?

Well, I think I figured it out. So what clarified my understanding? I took the CISA exam.

Continue reading →

This is a Mechanics Blog!

Thanks to TycoonBlogger (my favorite “blogging” blogger), I finally know what this blog is about.

Based on his Find out your blog’s personality type post, I found and ran the Typealyzer tool against my blog. It analyzes a blog and provides its Myers- Briggs Type. Here’s what it said about this blog:

The analysis indicates that the author of https://itauditsecurity.wordpress.com/ is of the type:

Continue reading →

Quote of the Weak (Attacker’s Perspective)

I don’t like to pick bones with my fellow ISACAeans, but when I saw this in the Journal recently, I had to react. Can you pick out the problem?

Continue reading →

More Snake Oil

In Standard (Snake) Oil, I complained about  companies that don’t audit according to standards because some treat control owner statements as pure gold, don’t insist evidence be tied back to actual systems, and don’t ask all the appropriate questions.

Here’s a few more questionable practices that I’ve challenged all too recently.

Continue reading →

Standard (Snake) Oil

I’m getting discouraged. I’m starting to wonder how many audit departments follow auditing standards, say, from IIA or ISACA. After some of the IT audits and IT SOX audits I’ve seen in the past year, who knows.

Some companies take their control owner words as gold and don’t verify them.

“They wouldn’t give you the information if it wasn’t true! Audit the evidence you’re given and quit questioning everything!” said one audit director. Excuse me, but doesn’t ISACA requires auditors to maintain their professional skepticism. Perhaps ISACA means be skeptical of audit directors?

Continue reading →