Further Web resources supporting the latest NoticeBored Classic module on IT auditing
This page last updated on Tuesday, April 29, 2008
The following websites and other Web resources proved useful in our research for this month’s NoticeBored
Classic awareness module on IT auditing. Hover over the  blobs below to see when new links were added, and be sure to visit the pick of the bunch, the  sites. Do let us know if your favorite IT audit resources
are not yet listed here. Hit <F5> to refresh the page for recent updates and keep up with relevant entries on the NoticeBored Blog.
General IT audit resources
A guide to auditing Information Security Management Systems advises on how to audit both the
management system as a whole, and the information security controls, through separate audit checklists. The guide is a contribution to the draft ISO/IEC 27007 standard.
The IT Compliance Institute (ITCi) IT Audit Checklist for Information Security offers guidance on improving information security and assessing its robustness.
The Canadian Government has a guide to auditing IT security and another on auditing general corporate security.
Early Warning Signs of IT Project Failure: The Dominant Dozen describes the top 12 people-related and
project-related IT project risks, based on data collected from a panel of 19 experts and a survey of 55 IT
project managers. Getting a good grip on these dozen issues will significantly improve your organization’s chances of IT project success.
If you are fed up with the glossy information security magazines that are basically extended
advertorials, take a look instead at the professional peer-reviewed journals such as EDPACS, the Electronic
Data Processing Audit, Control, and Security newsletter, and Norwich University’s Journal of Information Assurance. Peer review is an important quality assurance measure: articles are reviewed for content and
style by editorial board members with extensive academic and practical experience in the field. Vague
assertions are out. Properly researched and supported conclusions are in. [If you would be interested in seeing your own work published in journals such as these, contact the journals or contact us for advice.]
In addition to being the Editor for EDPACS and authoring countless columns and articles on IT audit, Dan
Swanson runs two Yahoo mailing lists supplying links and occasionally content in support of IT audit and
related topics such as IT governance. Dan shares a wealth of links to audit resources including many on this page (thanks Dan!). Internal Audit Helpers is a similar service from Roger McDaniel supplying lists of
interesting audit resources with brief commentaries on each.
Our tongue-in-cheek IT Audit FAQ presents a wealth of useful information about the purpose and
activities involved in auditing information assets. It also advises those considering a career in IT audit.
The Institute of Internal Auditors (IIA) is the professional body representing all internal auditors, with a section of their website devoted to technology auditors. Their ITAudit eZine carries good articles on
computer audit, information security and IT governance topics. An excellent series of advisories to help senior audit and corporate managers understand IT audit issues is being published sequentially as Global Technology Audit Guides. The IIA’s IT Audit discussion board (access requires free registration - IIA
nonmembers welcome) is a great place to get assistance with IT audit matters from a global community of over 4,000 IT auditors.
Auditors Sharing Audit Programs (ASAP) is a collaborative project under the leadership of Jim Kaplan to
collect and share audit checklists. Generic checklists are seldom useful without modification but provide a useful starting point when scoping and preparing for a new audit. Auditnet.org, a wonderful website for IT audit and information security professionals, also includes an extensive links collection for IT auditors called ARL (Auditnet Resource List) still lovingly tended by Jim Kaplan and previously known as KARL (Kaplan’s ARL).
 Irish consultant Patrick O’Beirne’s links collection lists loads of useful resources for
spreadsheet users and auditors. His book about the security and control aspects of writing and reviewing spreadsheets, reviewed elsewhere on this website, should be
required reading for all IT auditors (~$27 from Amazon).
 The textbook Core Concepts in Information Technology Auditing
(~$62 from Amazon) provides a solid introduction to IT audit concepts and methods. 
Daniel Goleman’s Working with Emotional Intelligence (~$19 from Amazon) takes an entirely different tack: it explains the skills required by auditors to
empathize with their auditees, and provides a wealth of advice on building on ones strengths and tackling ones weaknesses when it comes to forming
effective personal relationships at work. [One of our all time favorites - highly recommended.]
The Treasury Board of Canada maintains an internal controls review checklist for security auditing.
POGO (Project on Government Oversight) is a self-appointed activist body/watchdog that comments on US
government spending and governance issues. It encourages whistleblowers from public service to expose
dubious fiscal and environmental practices or corruption, provides support and anonymity.
The IT Compliance Institute’s IT audit checklist for reviewing information security management has many
potential uses [access requires registration]. It can be used directly by experienced IT auditors and compliance assessors as a checklist to guide a review of key controls, and it provides pointers on audit
preparation, testing and reporting. Prospective auditees and managers will benefit from reading about and
preparing for the kinds of things the auditors will be doing, especially the section on things the auditors will be
looking for. Those designing and implementing Information Security Management Systems will appreciate
the guidance on elements of an ISMS that auditors find particularly important. The checklist can even form the basis of a structured description or specification for a robust ISMS not a million miles away from ISO/IEC 27001 and 27002.
Sound advice from an experienced IT auditor on how to disagree with your auditor recommends providing
facts to support your position and refute what the auditor says. Facts are the auditors’ friend so fight fire with fire.
SAS 70 (Statement on Auditing Standards #70) from the American Institute of Certified Public Accountants
(AICPA) is a standard for auditing ‘service providers’ such as banks and their outsourcing partners. An FAQ on SAS 70 compares it to other standards such as ISO 9000, SysTrust and WebTrust.
IBM’s Spreadsheet Modelling Best Practice, published by the Institute of Chartered Accountants for England
and Wales and promoted by the European Spreadsheet Risks Interest Group, describes techniques for
designing and testing complex business/financial models. Even the simple idea of controlling the development of business-critical spreadsheet applications (or for that matter other end-user developments)
using structured development methods as if they were standard IT/application systems is a complete no-brainer yet seems rare in practice. [Anyone who has ever audited spreadsheets and databases written by
business people in their spare time will surely sympathize.]
For many years, Professor Ray Panko from the University of Hawai’i has led an outstanding team researching errors in spreadsheets and other programs. Studies have shown that over 90% of
spreadsheets contain errors and some are so wrong as to be totally misleading. “The most significant thing
... is that every study that has looked at spreadsheet errors has found them and has found them at disturbing rates.”
HM Customs and Excise developed SpACE, a tool to help them audit spreadsheets used for VAT returns etc.
If you are reviewing/auditing spreadsheets, this checklist summarizes the kinds of issues worth considering.
The web is an excellent source of information on computer audit, especially on technical aspects such as information security vulnerabilities. The Institute of Internal Auditors (IIA), ISACA [more below] and International Information Systems Security Certification Consortium (ISC2) have information relating to their professional qualifications and a wealth of other information of interest to practicing computer auditors,
although (not unreasonably) the best bits are often reserved for their members.
A consultancy company selling computer audit services describes the benefits of computer audits.
The IT audit function
The US General Accounting Office and National State Auditors Association produced a joint paper, a
management planning guide on establishing information systems security audit capabilities.
20 questions directors should ask about Internal Audit from the IIA helps directors understand Internal
Audit’s contribution to the business and guides the Audit Committee on what to ask the Chief Audit Exec.
Ever been asked to set up an Internal Audit Department from scratch? The IIA’s suggestions will get you started.
The Federal Financial Institutions Examination Council (FFIEC) Information Technology Examination Handbook is nothing to do with exams for IT qualifications. It guides the formation of an effective IT audit
function by defining its purpose, roles and responsibilities etc.
Audit tools & Computer Aided Audit Tools (CAATs)
Audit Control Language (ACL) and CaseWare IDEA are the market leading CAATs. Using products such as
these, auditors can conduct powerful off-line queries and reports against data sets extracted from systems.
[It’s a shame these very same reporting and analytical facilities are not routinely incorporated into business-critical application systems!].
Google and AltaVista (amongst many other search engines) are wonderful tools for researching any topic
prior to starting an computer audit assignment, especially once you get the hang of the search syntax (e.g. on Google, link words into a phrase with any punctuation like.this and exclude words or phrases with a
hyphen -like.this). The Google Toolbar makes it easy to search from any page and Google Alert is an uber
-cool service for tracking changes in the results of standard Google searches that you often repeat.
Tools to audit PC hardware and software generally offer quite basic functions for analyzing and recording the
system configuration and program files. Some offer more advanced techniques to determine more accurately which applications and even which versions are installed, using databases containing identifying
characteristics of known programs and searching the executable files themselves for copyright and other text strings.
IT auditors, among others, occasionally need to review networked systems in some depth for security vulnerabilities. The Metasploit project supports computer auditors and penetration testers.
Operis sells an Excel add-on with tools to help develop and analyze/test/audit spreadsheets, supplementing the basic audit built-in by Microsoft.
ActiveData is another audit toolkit add-on for Excel that adds, for example, the facility to test a numerical data range using Benford’s law (which predicts a certain nonlinear distribution of digits) in order to identify anomalous, possibly fraudulent values.
TeamMate is PwC’s audit workflow system - an integrated suite of tools and templates for structuring,
performing and managing an audit department’s working practices. TeamMate can be used to enforce QA measures (such as requiring all audit work papers and reports to be signed-off by audit team leaders or
managers), although it is reasonably flexible to configure.
ISACA, COBIT, ValIT & CISA
K-net is ISACA’s Knowledge Net, a collection of links to thousands of IT audit resources on the Web.
[ISACA members get access all the links whereas nonmembers can only access some.]
ISACA’s ValIT method is an exciting development both for IT auditors reviewing IT projects and for
project and business managers managing them. It provides a set of guiding principles supported by management practices aiming to help the organization get the most value from its IT investments.
ISACA started as a primarily US-based Information Systems Audit and Control Association in the late
60’s/early 70’s but grew to represent the interests of IT audit and IT governance professionals pretty much everywhere. Chapters hold local meetings and contribute to national/international conferences. Feedback is
sought on exposure drafts for new or updated professional IS audit standards from time to time.
ISACA’s COBIT (Control Objectives in IT) method has matured from modest beginnings as a guide for
computer auditors on best practice IT management controls into a comprehensive tool to guide the implementation of sound IT governance systems. ISACA members can access the summary level COBIT framework on-line for free or access the full system on payment of a supplementary subscription. COBIT version 4.1 is the latest.
The extensive ISACA bookstore sells a wide range of books, guides, CDs etc. about computer audit,
including CISA and CISM study guides and some specialist titles that are hard to find elsewhere. ISACA also publishes professional standards, guidelines and procedures for computer auditing.
ISACA’s CISA (Certified Information Systems Auditor) is easily the leading global qualification for
professionals in this field. The next CISA exam exam will happen at many places worldwide in June 2008.
Related NoticeBored links collections
Change management, compliance, IT governance, risk management, IT-related fraud, information security management, accountability and integrity/fraud.
NB: we do not necessarily endorse or agree with the third party websites accessible through the links. Use at your own risk. Please let us know about new or broken links.
|
