IT auditing and controls – An overview
So you want to be an IT Auditor…..
Over the course of the next few weeks, I will be posting some ten articles to help you understand what it takes to move from wherever you are to a job as an IT Auditor:
- We’ll start with an Introduction to IT Auditing;
- Move on to the Planning that goes into an IT Audit;
- Then we’ll look at several of the different auditing organizations, their standards, and their frameworks;
- In the fourth article we’ll start looking at IT Governance, what it is, and why it’s important.
Following that will some articles on
- IT Basics,
- The Internet,
- General Controls,
- Application Controls,
- Database Controls
- And we’ll wrap it all up with some IT infrastructure controls.
Being an IT auditor doesn’t just mean going in and looking to see if the organization has policies and procedures. Sure it includes that. But that is just the organization saying “WHAT” they’re going to do. IT Auditors will take that information and ask questions like, “Did you do what it says here in this procedure?”; “Can you prove that you did what it says in this procedure?”; and “Was the control you put in place, effective?”; and then follow that with the question, “Can you prove that it was effective?”
- "Say what you do,"
- "Do it,"
- "Prove that you did it," and then
- "Prove that it was effective."
Over the course of these articles, we’ll also talk about some specific controls that you as an IT auditor will want to look for and we’ll meld that into Industry Best Practices. I’ll also introduce you to some of my favorite tools, which I use when doing audits. And maybe, you’ll be able to ask the same questions of your clients. “If you know the IT auditor is going to do a readability test of your backup media, why aren’t you doing it before the IT auditor gets here?” One would think that if you as a client knew what the auditors were going to be looking for, you would do whatever you needed to do, so that all the answers were correct and supported.
Hopefully, at the end of these articles you will have an appreciation of IT auditing and you will be able to go into an organization, perform an audit, and add value to the business process.