Tag Archives: management

Some Periodic Reviews Provide Little Assurance

securityI’ve written before how some periodic reviews provide management with little assurance, but management doesn’t realize how little.

My previous post focused mostly on server access. In this post, I want to look at normal user access.

For example, let’s assume your company has a policy that states that all IDs must be assigned within an Active Directory group. In other words, IDs are assigned to groups, and groups are assigned to assets; IDs should not be assigned directly to an asset.

Assume the control you are testing states that user access is reviewed annually.

Continue reading

Leave a comment

Filed under Audit, Security, Technology

Steal from Agile to Increase Audit Analytics

agile analyticsTo increase the amount and depth of the analytics performed, steal some agile methods, and apply them to your audits.

If you’re not familiar with agile methods, check out the first 5 topics listed here (just click Next at the bottom of each page; the topics are quick to the point and full of pictures).

Briefly, agile projects are performed in cycles, or iterations, rather than in a long, linear-waterfall fashion, which is: do all planning, then field work, then reporting. Each iteration of the project creates some value and includes feedback, which is used in the next iteration to increase the value of the project.

Continue reading

Leave a comment

Filed under Audit, Data Analytics, How to..., Technology, Written by Skyyler

Create a Team for Audit Analytics? Part 3

analytics team?In the previous post, Create a Team for Audit Analytics? Part 2, I explored the pros and cons of expecting all auditors to develop a level of data and analytic proficiency.

These auditors would continue to do audit testing that involves analytics as well as testing that does not involve analytics. In addition to keeping up their business skills, they would be learning and upgrading their data analytic skills.

In the first post of this series, I reviewed some of the pluses and minuses of creating a dedicated analytics team.

However, a third option exists, which is sort of a hybrid between having dedicated analytic auditors doing all the analytic work and requiring everyone to increase and develop their data and analytic skills.

Let’s explore the hybrid method in this post, and wrap up the series with a few final thoughts.

This is the third post of a 3-part series…

Continue reading

7 Comments

Filed under Audit, Data Analytics, How to..., Technology, Written by Skyyler

5 Things We Need from ACL in 2018

5 thingsHere’s the 5 things I’m hoping will change in 2018 regarding ACL.

They are all related to each other and feed off each other…

Interesting.

Continue reading

9 Comments

Filed under ACL, Audit, Data Analytics, Excel, Scripting (ACL), Technology, Written by Skyyler

IIA Analytics Article Dead Wrong

analytics dead wrong iia tombstoneA recent IIA article on building an analytics function in internal audit is dead wrong.

At least on one major point, anyway. And it’s a big one.

As the tombstone reads, this point is D.O.A (dead on arrival, or more specifically, dead on analytics).

The article, Building a data analytics program, requires IIA membership to view, and is located at https://iaonline.theiia.org/2017/Pages/Building-a-Data-Analytics-Program.aspx (that’s actually good, as it means a lot fewer people will ever read it).

Continue reading

4 Comments

Filed under Audit, Data Analytics, Written by Skyyler

Which Way is Analytic North?

compass analyticsTo create a successful analytics program in internal audit, you must have a plan. A plan that points to analytic North.

That requires WRITTEN goals.

In an earlier post I outlined 10 Signs Mgmt Doesn’t Really Support Analytics.

One of the signs that indicates management isn’t really serious about analytics is that management does not require every staff member to have measurable analytic goals.

Continue reading

Leave a comment

Filed under Audit, Data Analytics, Excel, How to..., Written by Skyyler

Audit Management Sometimes Sucks

see no evilWhen internal auditors (or those pretending to be such) do poor work and don’t follow the appropriate audit and IT standards, they are unprofessional. However, I put the blame at the feed of audit management.

Continue reading

7 Comments

Filed under Audit, Employment

Careers After IT Auditing

life-after-it-auditRecently, a reader named Porak asked me what careers IT auditors can move to when they leave auditing (see the original question here).

I couldn’t find much on the Internet on this topic, but there’s a lot of options.

I’ve actually worked in quite a few of the areas mentioned below…

Continue reading

16 Comments

Filed under Audit, Employment, How to..., Technology

Data Center Failure: Conclusion

conclusion: sad faces

In previous posts, I described how I gained access to the data center area and then the data center proper.

I had bypassed door #1 and door #2.

My new colleagues were not happy.

Continue reading

Leave a comment

Filed under Case Files, Security, Security Scout

Biggest Problem in Computer Security

What’s the biggest problem in computer security, according to valsmith at carnal0wnage.attackresearch.com? Well, it’s…

Staffing.

As the author admits, the post leans toward self-promotion of the company, but it makes many good points and deserves a read and a good pondering.

Continue reading

Leave a comment

Filed under Audit, Security

More on Hating Auditors

Previously I’ve discussed why auditors are hated and how auditors can be lovable. But when I saw a Q & A in the ISACA journal about hating auditors, I had to dive in again.  Here’s the gist of the article, with my comments in italics. Although there’s some similarity to the posts I’ve mentioned above, they take a slightly different tack through the audit seas.

Auditors that do the following are “hated”…

Continue reading

4 Comments

Filed under Audit

Conclusion: Audit Server Disappeared

In Case File: Audit Server Disappeared, I noted that a friend of mine learned that  IT had, on its own prerogative, wiped a server belonging to Internal Audit because “it never appeared to be used.”

Some of you already commented on some of the issues involved in this incident and the normal IT activities that should have prevented this incident (or at least alerted IT that something was wrong). Let’s review those comments and I’ll add some other details and comments.

Continue reading

3 Comments

Filed under Audit, Case Files