Management, compliance & auditing

IT Auditing and Controls – An Overview

May 13, 2011 by Kenneth Magee

So you want to be an IT Auditor…..

Over the course of the next few weeks, I will be posting some ten articles to help you understand what it takes to move from wherever you are to a job as an IT Auditor:

Following that will some articles on

Being an IT auditor doesn’t just mean going in and looking to see if the organization has policies and procedures. Sure it includes that. But that is just the organization saying “WHAT” they’re going to do.  IT Auditors will take that information and ask questions like, “Did you do what it says here in this procedure?”; “Can you prove that you did what it says in this procedure?”; and “Was the control you put in place, effective?”; and then follow that with the question, “Can you prove that it was effective?”


  • “Say what you do,”
  • “Do it,”
  • “Prove that you did it,” and then
  • “Prove that it was effective.”

Over the course of these articles, we’ll also talk about some specific controls that you as an IT auditor will want to look for and we’ll meld that into Industry Best Practices.  I’ll also introduce you to some of my favorite tools, which I use when doing audits.  And maybe, you’ll be able to ask the same questions of your clients.  “If you know the IT auditor is going to do a readability test of your backup media, why aren’t you doing it before the IT auditor gets here?”  One would think that if you as a client knew what the auditors were going to be looking for, you would do whatever you needed to do, so that all the answers were correct and supported.

Hopefully, at the end of these articles you will have an appreciation of IT auditing and you will be able to go into an organization, perform an audit, and add value to the business process.


Posted: May 13, 2011
Articles Author
Kenneth Magee
View Profile

J Kenneth (Ken) Magee is president and owner of Data Security Consultation and Training, LLC, which specializes in data security auditing and information security training. He has over 40 years of IT experience in both private industry and the public sector with the last 21 devoted to IT security and Risk Management.

Ken holds degrees from Robert Morris University and Fairleigh Dickinson University. He holds 30 certifications including: CTT+, CEH, CPT, SSCP, CISSP-ISSMP, CAP, CISA, CISM, ISO 27001 PA, GIAC-GWAPT/GSEC/GSNA, CIA-CGAP, Security+, and CDP. He is a Senior Instructor with the InfoSec Institute.

Notice: Undefined index: visitor_id12882 in /www/resourcesinfosecinstitute_601/public/wp-content/plugins/infosec-user-info/infosec-user-info.php on line 117