A looooooong time ago, Leeann asked me to write a post about blogging about internal audit, so here goes. Most of this post applies to blogging on any subject, too.
First of all, there is a dearth of good internal audit blogs, and even less good IT audit blogs. So if you’re thinking about, we sure could use you in the blogsphere!
Writing a blog is hard work, and you often get tired of it. Life finds a way to get in the way. This is my 11th year of the blog (see the first post here), which, ironically, was written by skyyler. Fortunately, we’ve gotten better since that first year.
Blogging about internal audit is like a moon shining in a dark place… here’s my 10 tips…
Filed under Audit, Blogging
When auditors need to identify and understand IT controls, they search the company intranet, review policies, look for Github repositories, review inventories, schedule meetings, and analyze IT asset data.
I stumbled on a better way to get insight into the IT controls in my company, and I didn’t have to email anyone, do any research, or frankly, anything outright. The IT controls came after me.
Fortunately, the IT controls were blind to the fact that I am an IT auditor. To them, I was just an ordinary bloke. But that didn’t last long (more on that later).
It Began a Few Years Back
It all started a couple years ago when I was building the infrastructure required to support our data analytic efforts in internal audit.
Test how much you know about automation technologies by taking the job automation quiz at Financial Management magazine.
AuditMonkey has written about the Royal Bank of Scotland’s change management troubles.
If you’re planning to take the CISA exam, you need to take ISACA‘s own CISA Self-Assessment exam (get it here).
The exam consists of 50 questions that allow exam candidates to “assess their knowledge of the CISA job practice areas and determine in which information security areas they may have strengths and weaknesses.”
If you’re an IT auditor (or want to be one) and don’t have any audit certifications, which certification should you get, the CISA or the CIA? If you want to get both, which one do you get first?
Full disclosure: I have the CISA, but not the CIA. Back when the CIA was 4 exams, I studied for all the CIA exams except the financial exam, but ended up not taking any of the exams. I also have the CISSP.
IT admins and IT auditors often don’t see eye-to-eye, and they don’t usually think their goals are similar.
The IT auditor just has to work a little harder to convince the IT admin of that. I’ve worn both hats, so I know it can be done.
Filed under Audit, Security
A new IT auditor needs some help dealing with database patching issues and how far you need to dive into technology during an IT audit.
Take a moment to read his comment and add your thoughts. I’ve put in my 2 cents. Let’s get a good discussion going.
I think any auditor can chime in, as audit scope and audit limitations are not unique to IT audit.
Dinesh’s comment appears in What IT Auditors Ought to Know – and Don’t!
Why do so many IT auditors who pass the CISA know so little about IS and security–and in my opinion aren’t worth hiring* for that and several other reasons?
Well, I think I figured it out. So what clarified my understanding? I took the CISA exam.
SC Magazine had a good article back in November (I am a bit behind in my reading and my blogging) about industry pioneers in IT security. Listed below are quotes by a select few of the people the mag profiled. If you find their quotes interesting, or you are not familiar with them, I suggest you check out the article and perhaps do some extra reading about some of them.
I thought cryptography was a technique that did not require your trusting other people…” – Whitfield Diffie