Audit Programs...
95 views
Skip to first unread message
ravcpa
Feb 1, 2008, 12:43:30 PM2/1/08
to IT Audit Forum
I would love to see a free exchange of audit programs, ICQs, etc.
here. AuditNet used to be a decent resource until someone became
greedy. It's sad that something that ultimately promotes the
profession and helps everyone become better IT auditors is taken away
because of someone's profit motives.
Either way, I think most IT auditors with more than 5 years experience
can create audit programs using available resources without spending
money. I have over 10 years experience myself, and create all my own
audit programs and ICQs from scratch; however, I like to look at other
IT auditors' audit programs for new ideas, to fill any holes I have
missed, or just other general knowledge.
Of course it has to be an exchange. A community full of "takers" is
not going to be fruitful for anyone. I am willing to put out audit
programs I have developed. In addition to helping someone else out by
donating an audit program, I also appreciate feedback on anything I do
put out there. There are so many times on the ISACA list-serv that I
have a similar question as someone else, but no one responds. I don't
want to clutter the list-serv by saying, "me too" to some of the
requests. However, it is important for people to realize it is
usually more than the requestor that benefits from information
provided.
Forums such as these are very important for those of us in small
internal audit shops. I am the only IT auditor here, and as such, I
miss the casual IT audit conversations I used to have in former larger
shops. It's a leading cause of myopic thinking, knowledge
deterioration, and lack of staying abreast of current trends. Thanks
Steve for setting this up... here's hoping it is successful!
here. AuditNet used to be a decent resource until someone became
greedy. It's sad that something that ultimately promotes the
profession and helps everyone become better IT auditors is taken away
because of someone's profit motives.
Either way, I think most IT auditors with more than 5 years experience
can create audit programs using available resources without spending
money. I have over 10 years experience myself, and create all my own
audit programs and ICQs from scratch; however, I like to look at other
IT auditors' audit programs for new ideas, to fill any holes I have
missed, or just other general knowledge.
Of course it has to be an exchange. A community full of "takers" is
not going to be fruitful for anyone. I am willing to put out audit
programs I have developed. In addition to helping someone else out by
donating an audit program, I also appreciate feedback on anything I do
put out there. There are so many times on the ISACA list-serv that I
have a similar question as someone else, but no one responds. I don't
want to clutter the list-serv by saying, "me too" to some of the
requests. However, it is important for people to realize it is
usually more than the requestor that benefits from information
provided.
Forums such as these are very important for those of us in small
internal audit shops. I am the only IT auditor here, and as such, I
miss the casual IT audit conversations I used to have in former larger
shops. It's a leading cause of myopic thinking, knowledge
deterioration, and lack of staying abreast of current trends. Thanks
Steve for setting this up... here's hoping it is successful!
Peter Githinji
Feb 4, 2008, 1:20:53 AM2/4/08
to it-audi...@googlegroups.com
The expressions of Ravcpa are true and apply to presumably many of us - IT auditor being a one man shop in many small firms. I would like to point out that we work in different IT environments and we should be careful not to embrace audit programs wholesale, we need to pick out only what applies to us. And in most cases deisgning your own program is the best option because it will be based on the risks identified.
However,there are instances when audit programs would be nice to share - for networks, O/Ss, network components (FWs, Routers etc) because here the risks seem to be similar e.g. a hacker will exploit same vulnerabilities.I would like to share more of these and I have several for those that are interested.
Peter G
Peter Githinji
P O Box 64438 00620
Mobil Plaza, Nairobi, Kenya
Tel: +254 722 711 401
Steve
Feb 4, 2008, 12:22:15 PM2/4/08
to IT Audit Forum
I agree with both of your points. I create my own audit programs, but
appreciate any tools (others' audit programs) that can help me
accomplish that task more efficiently. Therefore, I subscribe to
auditnet.org, which my company has not reimbursed. However, that
expense can be deducted off your taxes, as it is money out of your own
pocket for a legitimate business expense (a handy tip during tax-
time ;~) ).
Leveraging others' audit programs can also help you learn how to
approach unfamiliar topics quickly and efficiently. For example, I
know that I'm interested in the services running on any server that
I'm auditing. However let's say that I'm unfamiliar with UNIX and how
to test for that. Another's audit program might have a workstep that
instructs the auditor to look for the inetd.conf file (which is where
you can find that type of information), and likely has some
instruction on the particular services that are risky. I could get
the same inforamtion from a book, but having that in a format that you
can cut-and-paste is VERY convenient.
I hope the members of this group could help each other out in this way
(sharing that type of informaiton). There is a section on this site
for sharing files called "Files." I'll volunteer to lead the charge
and post a 'generic' audit program that I use for most everything.
When I need to create a new audit program, I use this as a template.
It points towards all the 'concepts' that I'm interested in, and then
I look for other resources to help me accomplish the generic tasks
quickly, like the UNIX example I shared above. I hope this helps, and
I would put the challenge out for everyone to find one good resource
that they can share with everyone and post it on the site.
Cheers,
Steve
> > I would love to see a free exchange of audit programs, ICQs, etc.
> > here....
appreciate any tools (others' audit programs) that can help me
accomplish that task more efficiently. Therefore, I subscribe to
auditnet.org, which my company has not reimbursed. However, that
expense can be deducted off your taxes, as it is money out of your own
pocket for a legitimate business expense (a handy tip during tax-
time ;~) ).
Leveraging others' audit programs can also help you learn how to
approach unfamiliar topics quickly and efficiently. For example, I
know that I'm interested in the services running on any server that
I'm auditing. However let's say that I'm unfamiliar with UNIX and how
to test for that. Another's audit program might have a workstep that
instructs the auditor to look for the inetd.conf file (which is where
you can find that type of information), and likely has some
instruction on the particular services that are risky. I could get
the same inforamtion from a book, but having that in a format that you
can cut-and-paste is VERY convenient.
I hope the members of this group could help each other out in this way
(sharing that type of informaiton). There is a section on this site
for sharing files called "Files." I'll volunteer to lead the charge
and post a 'generic' audit program that I use for most everything.
When I need to create a new audit program, I use this as a template.
It points towards all the 'concepts' that I'm interested in, and then
I look for other resources to help me accomplish the generic tasks
quickly, like the UNIX example I shared above. I hope this helps, and
I would put the challenge out for everyone to find one good resource
that they can share with everyone and post it on the site.
Cheers,
Steve
> > I would love to see a free exchange of audit programs, ICQs, etc.
Steve
Feb 4, 2008, 12:48:49 PM2/4/08
to IT Audit Forum
Seem to be having problems uploading the audit program mentioned from
this location. I'll get that posted when I return home this evening.
Please check back after 7-8 PM (Pacific).
Steve
> > > here....- Hide quoted text -
>
> - Show quoted text -
this location. I'll get that posted when I return home this evening.
Please check back after 7-8 PM (Pacific).
Steve
>
> - Show quoted text -
OldGary
Feb 7, 2008, 1:53:13 PM2/7/08
to IT Audit Forum
I may be mixing home and work e-mail here, so pardon me if I wind up
slow in posting / replying. I'm also glad to share things I've used
in the past or to just join in on discussions.
Hope the group grows and succeeds.
Gary
> > - Show quoted text -- Hide quoted text -
slow in posting / replying. I'm also glad to share things I've used
in the past or to just join in on discussions.
Hope the group grows and succeeds.
Gary
Steve
Feb 7, 2008, 2:00:54 PM2/7/08
to IT Audit Forum
Okay...user error. I got home, and realized I didn't bring the file
with me to upload. That's been addressed, and I should have the audit
program posted in a day or two. Hopefully, nobody has been holding
their breath. :~)
Steve
> > - Show quoted text -- Hide quoted text -
with me to upload. That's been addressed, and I should have the audit
program posted in a day or two. Hopefully, nobody has been holding
their breath. :~)
Steve
Reply all
Reply to author
Forward
0 new messages