Blog: SANS Audit Advice & Resources

Blog: SANS Audit Advice & Resources

Top Ten Tips for Auditors

Are you new to the IT audit field? Have you been auditing systems for years? Regardless of your background, I'm sure you'll find these useful.

  1. Auditing is never about trust or the lack thereof. If you don't trust your employees you're not auditing, you're investigating. If management doesn't trust the employees then the employees should likely be replaced. Lacking trust it will be difficult to lead the organization to success.
  2. The primary role of an auditor is to measure and report on risk to the business and business objectives. If an auditor loses sight of his actual role it can lead to misleading findings. Management, and therefore auditors, must always keep their eyes on the prize.
  3. A secondary objective is to reduce risk by raising the awareness of, at a minimum, management. With awesome power comes awesome responsibility. Management asks us to tell them how the business is operating. If we fail to inform them in an effective way then we fail in our responsibility to the business.
  4. Never try to go toe-to-toe with a System Administrator on technical issues. There's a reason they're the administrator and you're the auditor.
  5. Auditing is never about catching people doing things wrong. In fact, the best feeling as an auditor is to include commentary on some of the very right things that are going on in a business!
  6. Communication is the most critical skill for an auditor; many times we are simply translating things that management has already heard into words that they understand. In fact, as an auditor work with technical staff he may forge relationships by choosing to adopt existing staff supported recommendations for his own audit report.
  7. Always present recommendations in the framework of the currency of the organization. If the business cares most about money, use dollars. Don't assume, however, that money is always the most motivating factor for management.
  8. Trying to find everything is often a mistake. Working with too large a scope can lead to a report that causes despair rather than increased security.
  9. Never make promises. Sometimes auditors discover truly gifted individuals who seem to be overlooked within the organization. While personal commendation is never bad, promising to tell management how wonderful the employee is can lead to dissatisfaction and turnover.
  10. Never take it personally. Despite every effort auditors will sometimes face individuals who cannot separate business matters from personal matters. Worse, auditors will sometimes have to become the referee between business units or even individuals. Never let them see you sweat. Remember, it's only business.
For a comprehensive course on how to identify critical controls, validate that the correct controls are in place and validate processes, consider the SANS 6 day course, "Advanced System & Network Auditing". David Hoelzer is the SANS IT Audit Curriculum Lead and the author of several SANS IT Audit related courses. He also teaches an extensive workshop on "Technical Communications & Presentation Skills."


Posted January 19, 2013 at 1:47 PM | Permalink | Reply


the point no 2 is abt primary objective of auditor, In external audit the primary objective is independent verification and risk reporting is rather far this is correct?

Post a Comment

* Indicates a required field.