Quote of the Weak – Auditor Judgment

We recently acquired a new data analysis tool in our department, which prompted some of our newbie auditors to share their misunderstanding of auditor judgment and basic data analysis.

A group of less experienced and newer auditors were selected to try out the new tool before it was rolled out department-wide.

 If you’re not familiar with my ‘Quote of the Weak’ series, I described it briefly in About. For a list of posts in this series, see here. If you haven’t seen one of these posts before, it’s because I haven’t had one in a while…

Continue reading →

How to Review Your ACL Log

Whether you script your projects or use menu commands, you need to review your ACL log carefully.

Good analysts review their results and the log as they work in ACL, after they think they are done, and have others review their log before the ACL project is relied upon.

(You can’t imagine the dumb mistakes my team and I found that saved us a lot of embarrassment later.)

Continue reading →

Free CISSP Review Material, Practice Exams

I just found some more FREE CISSP review material and practice exams. One exam is 100 questions, the other 250.

Continue reading →

ACL Tip: Beware of ORs and ANDs

Whenever you use OR and AND operators in ACL (or other software, for that matter), be careful to ensure that you receive the results that you are looking for.

Assume you have Table1, which contains 100 loan transactions. 10 of those transactions have a loan rate of 5% and 10 transactions have a rate of 6%. The remaining transactions have rates above 10%.

Continue reading →

ACL Tutorials on YouTube

Free ACL tutorials are available on YouTube, along with a lot of videos with talking heads. The tutorials walk you through how to do a couple tests, but I found the video resolution to be rather poor. Maybe it’s my equipment, maybe it’s the result of a company trying to adapt some tutorials they already have to another delivery method.

Continue reading →

Plan to Test the Test Plan

Always test the test plan and make sure it actually tests the control or risk being assessed. And make sure the tester (especially when you are observing the tester rather than performing the test yourself) actually follows the test plan.

During a segregation of duties (SOD) test for an expense report approval system, an auditor was observing a client perform a test.  The client was supposed to enter his user ID into the Approver field to demonstrate that he could not approve his own expense report.

Continue reading →

Risk: Look Both Ways

On my walk to work, I cross a lot of 1-way streets. I always look both ways. Sometimes, when a friend or colleague is walking with me, I get teased me about this. I always reply with this question: Have you ever driven down a 1-way street the wrong way? For some reason, I never get a reply and another subject surfaces.

When I crossed one of those streets the other day, I realized that some people look at audit/security/risk the same way. They only look one way because of the people or rules or controls or norms that govern the activity. They fail to think outside of the cubicle and look the other way–the path seldom traveled.

Continue reading →

How to Pass Certification Exams

Getting ready to take the CISA, CISM, CISSP, CIA, PMP, MCSE, or other certification exams? Here’s what you need to do to pass those tests:

Continue reading →