Management, compliance & auditing

IT auditing and controls – An overview

May 13, 2011 by Kenneth Magee

So you want to be an IT Auditor…..

Over the course of the next few weeks, I will be posting some ten articles to help you understand what it takes to move from wherever you are to a job as an IT Auditor:

Following that will some articles on

Being an IT auditor doesn’t just mean going in and looking to see if the organization has policies and procedures. Sure it includes that. But that is just the organization saying “WHAT” they’re going to do.  IT Auditors will take that information and ask questions like, “Did you do what it says here in this procedure?”; “Can you prove that you did what it says in this procedure?”; and “Was the control you put in place, effective?”; and then follow that with the question, “Can you prove that it was effective?”


  • “Say what you do,”
  • “Do it,”
  • “Prove that you did it,” and then
  • “Prove that it was effective.”

Over the course of these articles, we’ll also talk about some specific controls that you as an IT auditor will want to look for and we’ll meld that into Industry Best Practices.  I’ll also introduce you to some of my favorite tools, which I use when doing audits.  And maybe, you’ll be able to ask the same questions of your clients.  “If you know the IT auditor is going to do a readability test of your backup media, why aren’t you doing it before the IT auditor gets here?”  One would think that if you as a client knew what the auditors were going to be looking for, you would do whatever you needed to do, so that all the answers were correct and supported.

Hopefully, at the end of these articles you will have an appreciation of IT auditing and you will be able to go into an organization, perform an audit, and add value to the business process.

Posted: May 13, 2011
Kenneth Magee
View Profile

Ken is President and owner of Data Security Consultation and Training, LLC. He has taught cybersecurity at the JAG school at the University of Virginia, KPMG Advisory University, Microsoft and several major federal financial institutions and government agencies. As CISO for the Virginia Community College System, Ken’s focus was the standardization of security around the ISO 27000 series framework. Writing is one of his passions and he has authored and/or co-authored several courses, including CISSP, CISA, CISM, CGEIT, CRISC, DoD Cloud Computing SRG and a course for training Security Control Assessors using NIST SP 800-53A. Ken has also achieved a number of certifications, including CISSP, SSCP, CCSP, CAP, ISSMP, ISSAP, ISSEP, CISM, CISA, CAC, CEH, ISO9000LA, ISO14001LA, ISO27001PA, Security+, CySA+, CASP, CTT+, CPT, GSEC, GSNA, GWAPT, CIA, CGAP, CFE, MCP, MCSA, MCSE and MCT.