This post contains my response to my earlier post, ChatGPT Analyzes Internal Audit!
First of all, most of the article sounded like it was written by external auditors; it sounds important, but really doesn’t say much.
Tag Archives: risk
Response to ‘ChatGPT Analyzes Internal Audit!’
Filed under artificial intelligence (ai), Audit, Data Analytics, Data Science
ChatGPT Analyzes Internal Audit!
Just for fun, one of my readers asked ChatGPT to write an article analyzing how internal audit uses data analytics (love that alliteration).
If you’re new to ChatGPT, go here, and remember to scroll down.
This reader (who wishes to remain anonymous) asked ChatGPT to write about whether internal audit performs an adequate amount of data analytics and in the appropriate depth.
This person sent the result to me, and after reading it, I decided to publish it here.
Shatter Silos to Identify More Risk
If you want to increase the effectiveness of your audits and find risks that haven’t been identified before, you need to shatter your silos so you can identify more risk.
Too often, audits are performed on one process, one category, or one system: Earning Commissions, Windows Servers, or Wire Transfer. Each one of those is a separate silo (one for oats, one for corn, one for rice).
Filed under Audit, Data Analytics, fraud, How to..., Technology
Download SharePoint Data w/o Rights
At a company I worked at recently, I ran across a Sharepoint site and wondered whether I could download data that I wasn’t supposed to see.
Now I understand the purpose of SharePoint and company intranets is to share data, but even then, some data should be restricted to a limited number of people.
So I decided to check (before doing things like this, you better know How to Stay Out of Jail).
Filed under Audit, Excel, How to..., Security, Security Scout, Technology
No Metrics, Little Analytics
If your department doesn’t track metrics on your analytics, you are probably not doing analytics or you are making little progress in analytics.
In either case, its obvious that analytics isn’t very important to your management.
Which is one of the points I made in my post, 10 Signs Mgmt Doesn’t Really Support Analytics.
So far, I have encountered very few audit departments that track meaningful metrics about their analytics.
Counting the number of projects that include analytics isn’t enough.
Filed under Audit, Data Analytics, How to..., Written by Skyyler
Top 10 Reasons Why Being an IT Auditor is So Hard
Before you choose a career as an IT auditor, consider my top 10 reasons why being an IT auditor is so hard.
Filed under Audit, Employment, Technology, Top 10
Evaluating Risk in the Dark
When you evaluate the risk of a vulnerability, do you do it in the dark?
Or do you take into account other factors that might affect the risk?
What if one of the factors is an existing audit issue that has not been remediated?
Filed under Audit
CISA vs. CIA Certification
If you’re an IT auditor (or want to be one) and don’t have any audit certifications, which certification should you get, the CISA or the CIA? If you want to get both, which one do you get first?
Full disclosure: I have the CISA, but not the CIA. Back when the CIA was 4 exams, I studied for all the CIA exams except the financial exam, but ended up not taking any of the exams. I also have the CISSP.
Filed under Audit, Certification, Security, Technology
How Virtualization Changes Audits
If you haven’t determined how server virtualization changes your audit plans, you better get moving. I’m not just talking about a virtualization audit (more on that later), but the audits that you typically do every year or on a multi-year cycle.
For example, if every year you do an audit on all networks, servers, applications, and databases that host your key financial reporting or PHI systems, you’re looking at policies and procedures, configuration management, security (including patching), user access, logging, and so on. But do you first consider whether those assets run on virtualized servers?
Filed under Audit, How to..., Security, Technology
More on Hating Auditors
Previously I’ve discussed why auditors are hated and how auditors can be lovable. But when I saw a Q & A in the ISACA journal about hating auditors, I had to dive in again. Here’s the gist of the article, with my comments in italics. Although there’s some similarity to the posts I’ve mentioned above, they take a slightly different tack through the audit seas.
Auditors that do the following are “hated”…
Filed under Audit
Securing Virtual Servers
Here’s my take on the issues that I found with the following quote from SC Magazine (for more info, see Quote of the Weak (Securing Virtual Servers):
We don’t treat the virtualization servers any different than the physical servers when it comes to security. We treat them the same. Security is security.
Filed under Quote of the Weak, Security
IIA Basics for Auditors
The Institute of Internal Auditors (IIA) has back-to-basics articles for new auditors (and like Dummies books, the topics can be a reference for the rest of us). Even security pros might want to read a few of these to better understand their auditors, or how those auditors should be doing their jobs.
The topics are as follows (no special order):
Case File: Trouble Bites Auditor
As an auditor, I’ve been accused many times of looking for trouble. I have to admit that it’s true, because that’s my job. But too often, trouble comes looking for me. Sure it makes my job easier, but it also makes me scratch my head.
When I was in IT operations, before I got into security and audit, I was always thorough and followed common sense and company policy. However, any projects that I was doing that might draw the eyes of either of those departments, I double-checked prior to delivery. Most bosses don’t like surprises, and I was always a details guy. Besides, why poke the bear?
Filed under Audit, Case Files
Shipley on Cloud Computing Risks
Greg Shipley,* CTO of Neohapsis, wrote an article in Information Week magazine about cloud computing risks, making the following points:
1) One company discovered it was using Amazon’s cloud services when employees tried to expense the bills. It’s 10 o’clock; do you know where your clouds are?
Not Your Father’s Social Network Risks?
You might remember the commercial that said, “This isn’t your father’s Oldsmobile,” meaning this car is nothing like the one your father drives. It’s faster, more luxurious, more YOU.
Have you noticed that the opposite is true regarding the hype over social networking and the risk it brings to your business and a computer near you? In other words, to quote an old king, “There is nothing new under the sun.”
Filed under Security
Patch Band-aidment
IT has come up with all kinds of ways to protect assets without applying patches. Yes, patching takes time if done correctly. However, the solutions have issues that need to be kept in mind.
Filed under Security
Schneier’s Security Trade-offs
Bruce Schneier has 5 questions for assessing security and the trade-offs that are made during the assessment process.
- What assets are you trying to protect?
- What are the risks to these assets?
- How well does the security solution mitigate those risks?
- What other risks does the security solution cause?
- What trade-offs does the security solution require?
5 Security Steps for Non-Big Businesses
Lenny Zeltser suggest 5 steps that mid-market organizations can take down the security path:
- Identify key data flows
- Understand user interactions
- Examine the network perimeter
- Assess the servers and workstations
- Look at the applications
Filed under Security
ITauditSecurity 