Let's be honest. As auditors working in IT we sometimes want to meet a specific objective but we don't have any idea how to meet it. Most auditors will be comfortable agreeing to this point, but here's the unfortunate truth that follows on from the last statement: If we don't know how to perform the audit, and can't figure it out on our own,we sometimes change our objective to something easier!
The idea that an auditor might change his objectives in order to create an audit program that he knows how to follow may not seem to be that bit a deal. If you think about it, though, there must be something that lead the auditor to the point of asking a specific question. Not knowing how to answer a question does not make the question unimportant! In fact, I would argue that in many cases these are precisely the questions that you must answer! Afterall, if you can't figure out how to audit something, what are the chances that the administrator doesn't really know how to secure it!!
"Ok, that's fine," I hear you say, "but what do we do about it?" Great question. I work with organizations as an auditor and security consultant fairly regularly. The organizations that I interface with range from a few hundred employees to tens of thousands of workers. No matter the size, they all have a common problem: not nearly enough time or money is spent training people how to do their jobs properly.
Don't get me wrong, there's likely some level of on the job training. This is good, to a point, but there's almost never enough outside training and knowledge expansion, giving employees the opportunity to come up with new, better and more efficient ways to improve processes.
How about in the IT Audit field? While it's true that training options, especially in technical topics, can be somewhat limited, there are a few events and possibilities that you should consider:
The IIA periodically runs "regional" style conferences. They may not be in exotic locales, but they do try to invite current, relevant speakers for some of their educational tracks. Consider attending the IIA conference later this year in Canada.
If you need to know what questions to ask about technical systems, including virtual environments, routers, switches, web applications, Windows domains and more, you need to have a look at the Advanced Technical Auditing course from SANS. This gives auditors all of the right questions to ask with constant pointers back to the process that needs to be fixed. It's also great for administrators and security folks because automated compliance and monitoring strategies are included throughout. If you're on the West coast, I'll be teaching this very course in Phoenix in late February.
On the other hand, if you need to address higher level process issues, you definitely need to have a look at the Implementing the 20 Critical Controls course. In this course, each of the 20 consensus audit guidelines is thoroughly examined and, in most cases, recommendations for implementation are provided as well. You will definitely leave with a list of items to add to your higher level audits!