The IT Auditor Skillset

1
The IT Auditor Skill-set

• A Journey In Versatility

2
The IT Auditor Skill-setA Journey In
Versatility

• Presented By Lennox Brown
• CISA, CA,CCP,CIA,CFSA,CFE,CSM,
• FLMI, NSA (IAMIEM)
• For Trinidad Tobago ISACA Chapter
• Date Tuesday July 22, 2008
• Venue Valpark, Valsayn

3
Factors Affecting Skill-Set Requirement

• Professional Standards Requirements
• Environmental Factors
• Elements of the IT Audit
• ISACAs Preparatory Guidance

4
Factors Affecting Skill-Set Requirement

• Employers Skill-Set Preference (External)
• Employers Skill- Set Preference (Internal)

5
Factors Affecting Skill-Set Requirement

• Professional Standards Requirements

6
Standard -- Professional Competence S4

• The requirement for competency is embodied in
  ISACAs Standard S4 -Professional Competence.
  This IS Auditing Standard is effective for all
  information systems audits beginning 1 January
  2005.
• ___________
• 03 - The IS auditor should be professionally
  competent, having the skills and knowledge to
  conduct the audit assignment.
• 04 - The IS auditor should maintain professional
  competence through appropriate continuing
  professional education and training.
• ___________

7
Guideline -- Competence G30

• This guideline provides guidance in applying IS
  auditing standard S4 Professional Competence. The
  IS auditor should consider this guideline in
  determining how to achieve implementation of the
  above standards, use professional judgement in
  its application and be prepared to justify any
  departure.
• ___________
• 1.4.1 - IS auditors are expected to be highly
  competent. To meet this objective, IS auditors
  need to acquire the necessary skills and required
  knowledge to carry out assignments. The
  additional challenge is to maintain competence by
  continually upgrading knowledge and skills.
• ___________

8
Guideline -- Competence G30

• ___________
• 1.4.4 - The IS auditor should perform
  professional services with due care, competence
  and diligence and has a continuing duty to
  maintain professional knowledge and skill at a
  required level to provide reasonable assurance
  that the requirements of professional auditing
  standards are met and the audited organisation
  receives the advantage of competent professional
  service based on up-to-date developments in
  practice, legislation and techniques.
• ___________

9
The IS/IT Auditors responsibilities in response
to the competency requirements.

• Acquiring Skills and Knowledge
• Primarily, the IS auditor should be responsible
  for acquiring the required professional and
  technical skills and knowledge to carry out any
  assignment the IS auditor agrees to perform.
• Building Competence
• Competence implies possessing skills and
  knowledge, and expertise through an adequate
  level of education and experience.

10
The IS/IT Auditors responsibilities in response
to the competency requirements.

• Continual Maintenance
• The IS auditor should continually monitor their
  skills and knowledge to maintain the acceptable
  level of competence. Maintenance through
  continuing professional education (CPE) may
  include, and is not limited to, training,
  educational courses, certification programmes,
  university courses, conferences, seminars,
  workshops, teleconferences, web casts and study
  circle meetings.

11
Factors Affecting Skill-Set Requirement

• Environmental Factors

12
Environmental Effects on IS/IT Auditors response
to competency requirements
13
Environmental Effects on IS/IT Auditors response
to competency requirements
Environmental factors that impact the state of
IS/IT auditing have consequential impact on the
competency, qualification and experience
requirement of the IS/IT Auditor.
14
OK Now what are the baseline skill-set that an
IS/IT Auditor should possess or develop at the
minimum?
15
Factors Affecting Skill-Set Requirement

• Elements of the IT Audit

16
Factors Affecting Skill-Set Requirement Elements
of the IT Audit

• IS/IT Audit Defined
• Definition (1)
• An information technology audit, or information
  systems audit, is an examination of the controls
  within an Information technology (IT)
  infrastructure. An IT audit is the process of
  collecting and evaluating evidence of an
  organization's information systems, practices,
  and operations. The evaluation of obtained
  evidence determines if the information systems
  are safeguarding assets, maintaining data
  integrity, and operating effectively and
  efficiently to achieve the organization's goals
  or objectives.
• Source
• http//en.wikipedia.org/wiki/Information_technolo
  gy_audit

17
Factors Affecting Skill-Set Requirement Elements
of the IT Audit

• IS/IT Audit Defined
• Definition (2)
• While there is no single universal definition of
  IS audit, Ron Weber has defined it (EDP
  auditing--as it was previously called) as
• "the process of collecting and evaluating
  evidence to determine whether a computer system
  (information system) safeguards assets, maintains
  data integrity, achieves organizational goals
  effectively and consumes resources efficiently."
• Source
• Information Systems Control Journal, Volume 1,
  2002 The IS Audit Process By S. Anantha Sayana,
  CISA, CIA

18
Factors Affecting Skill-Set Requirement
Elements of the IT Audit

• Purpose of IS/IT Audit
• The purpose of IS audit is to review and provide
  feedback, assurances and suggestions regarding
• Availability
• Will the information systems on which the
  business is heavily dependent be available for
  the business at all times when required? Are the
  systems well protected against all types of
  losses and disasters?

19
Factors Affecting Skill-Set Requirement
Elements of the IT Audit

• Purpose of IS/IT Audit
• The purpose of IS audit is to review and provide
  feedback, assurances and suggestions regarding
• Confidentiality
• Will the information in the systems be disclosed
  only to those who have a need to see and use it
  and not to anyone else?

20
Factors Affecting Skill-Set Requirement
Elements of the IT Audit

• Purpose of IS/IT Audit
• The purpose of IS audit is to review and provide
  feedback, assurances and suggestions regarding
• Integrity
• Will the information provided by the systems
  always be accurate, reliable and timely?
• What ensures that no unauthorized modification
  can be made to the data or the software in the
  systems?

21
Factors Affecting Skill-Set Requirement
Elements of the IT Audit

• Elements of IS Audit
• Physical and Environmental Review This includes
  physical security, power supply, air
  conditioning, humidity control and other
  environmental factors.
• System Administration Review This includes
  security review of the operating systems,
  database management systems, all system
  administration procedures and compliance.

22
Factors Affecting Skill-Set Requirement
Elements of the IT Audit

• Elements of IS Audit
• Application Software Review The business
  application could be payroll, invoicing, a
  web-based customer order processing system or an
  enterprise resource planning system that actually
  runs the business. Review of such application
  software includes access control and
  authorizations, validations, error and exception
  handling, business process flows within the
  application software and complementary manual
  controls and procedures. Additionally, a review
  of the system development lifecycle should be
  completed.

23
Factors Affecting Skill-Set Requirement
Elements of the IT Audit

• Elements of IS Audit
• Network Security Review Review of internal and
  external connections to the system, perimeter
  security, firewall review, router access control
  lists, port scanning and intrusion detection are
  some typical areas of coverage.
• Business Continuity Review This includes
  existence and maintenance of fault tolerant and
  redundant hardware, backup procedures and
  storage, and documented and tested disaster
  recovery/business continuity plan.

24
Factors Affecting Skill-Set Requirement
Elements of the IT Audit

• Elements of IS Audit
• Data Integrity Review The purpose of this is
  scrutiny of live data to verify adequacy of
  controls and impact of weaknesses, as noticed
  from any of the above reviews. Such substantive
  testing can be done using generalized audit
  software (e.g., computer assisted audit
  techniques).

25
Factors Affecting Skill-Set Requirement
Elements of the IT Audit

• Elements of IS Audit
• It is important to understand that each audit
  may consist of these elements in varying
  measures some audits may scrutinize only one of
  these elements or drop some of these elements.
  While the fact remains that it is necessary to do
  all of them, it is not mandatory to do all of
  them in one assignment.

26
Factors Affecting Skill-Set Requirement

• ISACAs Preparatory Guidance

27
ISACAs Preparatory Guidance

• Use - ISACA CISA Certification Job Practice Areas
• Use - ISACA Model Curriculum

28
Factors Affecting Skill-Set Requirement ISACAs
Preparatory Guidance

• ISACA CISA Certification Job Practice Areas

29
Factors Affecting Skill-Set Requirement ISACAs
Preparatory Guidance Certification Job Practice
Areas
30
Factors Affecting Skill-Set Requirement ISACAs
Preparatory Guidance Certification Job Practice
Areas

• Domain 1IS Audit Process (10)
• Provide IS audit services in accordance
  with IS audit standards, guidelines, and best
  practices to assist the organization in ensuring
  that its information technology and business
  systems are protected and controlled.

31
Factors Affecting Skill-Set Requirement ISACAs
Preparatory Guidance Certification Job Practice
Areas

• Domain 1Knowledge Statements
• 1.1 Knowledge of ISACA IS Auditing Standards,
  Guidelines and Procedures and Code of
  Professional Ethics
• 1.2 Knowledge of IS auditing practices and
  techniques

32
Factors Affecting Skill-Set Requirement ISACAs
Preparatory Guidance Certification Job Practice
Areas

• Domain 1Knowledge Statements
• 1.X.
• 1.7 Knowledge of audit planning and management
  techniques
• 1.8 Knowledge of reporting and communication
  techniques (e.g., facilitation,negotiation,
  conflict resolution)

33
Factors Affecting Skill-Set Requirement ISACAs
Preparatory Guidance Certification Job Practice
Areas

• Domain 2IT Governance (15)
• To provide assurance that the organization
  has the structure, policies, accountability,
  mechanisms, and monitoring practices in place to
  achieve the requirements of corporate governance
  of IT.

34
Factors Affecting Skill-Set Requirement ISACAs
Preparatory Guidance Certification Job Practice
Areas

• Domain 2Knowledge Statements
• 2.1 Knowledge of the purpose of IT strategies,
  policies, standards and procedures for an
  organization and the essential elements of each
• 2.2 Knowledge of IT governance frameworks (e.g.,
  COBIT, ISO 17799)
• 2.3 Knowledge of the processes for the
  development, implementation and maintenance of IT
  strategies, policies, standards and procedures
  (e.g., protection of information assets, business
  continuity and disaster recovery, systems and
  infrastructure lifecycle management, IT service
  delivery and support)

35
Factors Affecting Skill-Set Requirement ISACAs
Preparatory Guidance Certification Job Practice
Areas

• Domain 2Knowledge Statements
• 2.x
• 2.9 Knowledge of the use of control frameworks
  (e.g., COBIT, COSO, ISO 17799)

36
Factors Affecting Skill-Set Requirement ISACAs
Preparatory Guidance Certification Job Practice
Areas

• Domain 3Systems and Infrastructure Lifecycle
  Management (16)
• To provide assurance that the management
  practices for the development/acquisition,
  testing, implementation, maintenance, and
  disposal of systems and infrastructure will meet
  the organizations objectives.

37
Factors Affecting Skill-Set Requirement ISACAs
Preparatory Guidance Certification Job Practice
Areas

• Domain 3Knowledge Statements
• 3.1 Knowledge of benefits management
  practices, (e.g., feasibility studies, business
  cases)
• 3.2 Knowledge of project governance mechanisms
  (e.g., steering committee, project oversight
  board)
• 3.3 Knowledge of project management practices,
  tools, and control frameworks

38
Factors Affecting Skill-Set Requirement ISACAs
Preparatory Guidance Certification Job Practice
Areas

• Domain 3Knowledge Statements
• 3.x
• 3.6 Knowledge of configuration, change and
  release management in relation to development and
  maintenance of systems and/or infrastructure
• 3.7 Knowledge of control objectives and
  techniques that ensure the completeness,
  accuracy, validity, and authorization of
  transactions and data within IT systems
  applications

39
Factors Affecting Skill-Set Requirement ISACAs
Preparatory Guidance Certification Job Practice
Areas

• Domain 3Knowledge Statements
• 3.x
• 3.11 Knowledge of system development
  methodologies and tools and an understanding of
  their strengths and weaknesses (e.g., agile
  development practices, prototyping, rapid
  application development RAD)

40
Factors Affecting Skill-Set Requirement ISACAs
Preparatory Guidance Certification Job Practice
Areas

• Domain 4IT Service Delivery and Support (14)
• To provide assurance that the IT service
  management practices will ensure the delivery of
  the level of services required to meet the
  organizations objectives.

41
Factors Affecting Skill-Set Requirement ISACAs
Preparatory Guidance Certification Job Practice
Areas

• Domain 4Knowledge Statements
• 4.x
• 4.4 Knowledge of the functionality of hardware
  and network components (e.g., routers, switches,
  firewalls, peripherals)
• 4.5 Knowledge of database administration
  practices
• 4.6 Knowledge of the functionality of system
  software including operating systems, utilities,
  and database management systems

42
Factors Affecting Skill-Set Requirement ISACAs
Preparatory Guidance Certification Job Practice
Areas

• Domain 4Knowledge Statements
• 4.7 Knowledge of capacity planning and
  monitoring techniques
• 4.8 Knowledge of processes for managing
  scheduled and emergency changes to the production
  systems and/or infrastructure including change,
  configuration, release, and patch management
  practices
• 4.9 Knowledge of incident/problem management
  practices (e.g., help desk, escalation
  procedures, tracking)

43
Factors Affecting Skill-Set Requirement ISACAs
Preparatory Guidance Certification Job Practice
Areas

• Domain 5Protection of Information Assets (31)
• To provide assurance that the security
  architecture (policies, standards, procedures,
  and controls)
• ensures the confidentiality, integrity, and
  availability of information assets.

44
Factors Affecting Skill-Set Requirement ISACAs
Preparatory Guidance Certification Job Practice
Areas

• Domain 5Knowledge Statements
• 5.1 Knowledge of the techniques for the design,
  implementation and monitoring of security (e.g.,
  threat and risk assessment, sensitivity analysis,
  privacy impact assessment)
• 5.2 Knowledge of logical access controls for the
  identification, authentication, and restriction
  of users to authorized functions and data (e.g.,
  dynamic passwords, challenge/response, menus,
  profiles)

45
Factors Affecting Skill-Set Requirement ISACAs
Preparatory Guidance Certification Job Practice
Areas

• Domain 5Knowledge Statements
• 5.7 Knowledge of intrusion detection systems and
  firewall configuration, implementation,
  operation, and maintenance
• 5.x
• 5.10 Knowledge of virus detection tools and
  control techniques
• 5.11 Knowledge of security testing and
  assessment tools (e.g., penetration testing,
  vulnerability scanning)

46
Factors Affecting Skill-Set Requirement ISACAs
Preparatory Guidance Certification Job Practice
Areas

• Domain 5Knowledge Statements
• 5.12 Knowledge of environmental protection
  practices and devices (e.g., fire suppression,
  cooling systems, water sensors)
• 5.14 Knowledge of data classification schemes
  (e.g., public, confidential, private, and
  sensitive data)

47
Factors Affecting Skill-Set Requirement ISACAs
Preparatory Guidance Certification Job Practice
Areas

• Domain 6Business Continuity and Disaster
  Recovery (14)
• To provide assurance that in the event of a
  disruption the business continuity and disaster
  recovery processes will ensure the timely
  resumption of IT services while minimizing the
  business impact.

48
Factors Affecting Skill-Set Requirement ISACAs
Preparatory Guidance Certification Job Practice
Areas

• Domain 6Knowledge Statements
• 6.1 Knowledge of data backup, storage,
  maintenance, retention and restoration processes,
  and practices
• 6.x
• 6.3 Knowledge of business impact analysis (BIA)
• 6.4 Knowledge of the development and maintenance
  of the business continuity and disaster recovery
  plans

49
Factors Affecting Skill-Set Requirement ISACAs
Preparatory Guidance Certification Job Practice
Areas

• Domain 6Knowledge Statements
• 6.5 Knowledge of business continuity and
  disaster recovery testing approaches and
  methodology
• 6.x
• 6.8 Knowledge of types of alternate processing
  sites and methods used to monitor the contractual
  agreements (e.g., hot sites, warm sites, cold
  sites)

50
Factors Affecting Skill-Set Requirement ISACAs
Preparatory Guidance ISACA Model Curriculum

• ISACA Model Curriculum

51
Factors Affecting Skill-Set Requirement ISACAs
Preparatory Guidance ISACA Model Curriculum

• ISACAs Model Curriculum was developed ISACA as
  a guide for educators wanting a framework of the
  educational topics required for students to
  develop the skills needed to be employable in the
  profession.

52
Factors Affecting Skill-Set Requirement ISACAs
Preparatory Guidance ISACA Model Curriculum

• The seven curriculum domains include
• 1) Audit Process The topics cover the entire
  audit process from basic auditing concepts
  through the reporting and follow-up stages of the
  audit.
• 2) Management, Planning and Organization of IS
  This domain focuses on the management of IS
  process areas such as projects, infrastructure,
  human resources, legal issues and standards

53
Factors Affecting Skill-Set Requirement ISACAs
Preparatory Guidance ISACA Model Curriculum

• The seven curriculum domains include
• 3) Technical Infrastructure and Operational
  Practices This domain includes discussions
  about operating and systems software decisions,
  network communication alternatives, IT
  architecture options, and management of service
  centers.

54
Factors Affecting Skill-Set Requirement ISACAs
Preparatory Guidance ISACA Model Curriculum

• The seven curriculum domains include
• 4) Protection of Information Assets This domain
  includes the logical security principles as well
  as many network security issues, such as
  firewalls, intrusion detection systems and
  encryption considerations.

55
Factors Affecting Skill-Set Requirement ISACAs
Preparatory Guidance ISACA Model Curriculum

• The seven curriculum domains include
• 5) Disaster Recovery and Business Continuity
  These include not only managements
  responsibilities, but also the assurance
  professionals role in these issues and the
  importance of insurance coverage as part of the
  plan.

56
Factors Affecting Skill-Set Requirement ISACAs
Preparatory Guidance ISACA Model Curriculum

• The seven curriculum domains include
• 6) Business Application System Development,
  Acquisition, Implementation and Maintenance The
  business application system development,
  acquisition, implementation and maintenance
  domain includes topics related to enterprise
  resource planning software, the many issues
  related to database management and
  administration, the systems development life
  cycle and software development considerations.

57
Factors Affecting Skill-Set Requirement ISACAs
Preparatory Guidance ISACA Model Curriculum

• The seven curriculum domains include
• 7) Business Process Evaluation and Risk
  Management The last domain, business process
  evaluation and risk management, has only one
  topic areathe audit and development of
  application controls.

58
Factors Affecting Skill-Set Requirement

• Employers Skills Requirement (External/Internal)

59
Factors Affecting Skill-Set
RequirementEmployers Skills Requirement
(External)

• Employers Skill-Set Requirement (External)
  --- Data From Study ---

60
Factors Affecting Skill-Set Requirement
Employers Skills Requirement (External)

• A recent research study, reported in the Journal
  of Information Systems Education, Vol. 18(4),
  analyzed online advertisements for information
  technology audit jobs to classify a list of key
  career skills and knowledge needed to succeed in
  the IS/IT audit field.

61
Factors Affecting Skill-Set Requirement
Employers Skills Requirement (External) Skills
Categories Used For Classification Purposes
62
Factors Affecting Skill-Set Requirement
Employers Skills Requirement (External) --
Survey Results --
Survey Results Table 2 illustrates the number
of times a particular category was mentioned in
the ads and the percentage of jobs listing the
category.
63
Factors Affecting Skill-Set Requirement
Employers Skills Requirement (External) --
Survey Results --
64
Factors Affecting Skill-Set Requirement
Employers Skills Requirement (External) --
Survey Results --
65
Factors Affecting Skill-Set Requirement
Employers Skills Requirement (External) --
Survey Results --
66
Factors Affecting Skill-Set Requirement
Employers Skills Requirement (External) --
Survey Results --

• The research study confirms that although
  technical skills are needed to understand the
  variety of technology used in the organization,
  the IT auditor must have interpersonal skills
  (Soft Skills) to interact with multiple levels of
  personnel within the organization.

67
Factors Affecting Skill-Set RequirementEmployers
Skills Requirement (Internal)

• Employers Skill-Set Requirement (Internal)

68
Employers Skill-Set Requirement (Internal)Your
Employers Skills Requirement

• Use Results from an Assessment of Your
  Organizations (or Potential Organizations) IT
  Environment.
• You could determine your skill-set requirement
  based on the audits that need to be executed at
  your organization.
• You could determine skill-set requirement based
  on the technology needed to support your (or
  Potential Organizations) organization mission.

69
Employers Skill-Set Requirement (Internal)Your
Employers Skills Requirement

• Use Results from an Assessment of Your
  Organizations (or Potential Organizations) IT
  Environment.
• You could determine skill-set requirement based
  on the best fit for your capability keeping in
  mind that it should be relevant to the IS audit
  activities that are currently performed or
  planned.

70
Employers Skill-Set Requirement (Internal)Your
Employers Skills Requirement

• Use Results from an Assessment of Your
  Organizations (or Potential Organizations) IT
  Environment.
• What do you think is your organizations IT
  Audit skill requirement?
• Why?

71
Strategy For Developing Your Skill-set

• Your strategy for developing your skill-set will
  depend on your entry path.
• There are two main entry paths leading to IT
  audit. These include
• Technology Entry Path - Often Information
  Security, IT operations, IT Project Management,
  Systems Development, or Business Analysis

72
Strategy For Developing Your Skill-set

• Your strategy for developing your skill-set will
  depend on your entry path.
• There are two main entry paths leading to IT
  audit. These include
• Accountancy/Audit Entry Path - General or
  Financial Audit, Financial or Management
  Accounting.

73
Strategy For Developing Your Skill-set---
Identifying Skills Needed ---

• If you are coming from the Technology Entry
  Path, what skills do you need?
• Hint - Refer To Study

74
Strategy For Developing Your Skill-set --
Identifying Skills Needed -- Employers Skills
Preferences/Requirements
75
Strategy For Developing Your Skill-set --
Identifying Skills Needed -- Employers Skills
Preferences/Requirements
76
Strategy For Developing Your Skill-set --
Identifying Skills Needed -- Employers Skills
Preferences/Requirements
77
Strategy For Developing Your Skillset --
Identifying Skills Needed --

• If you are coming from the Accountancy Entry
  Path, what skills do you need?
• Hint - Refer To Study

78
Strategy For Developing Your Skill-set --
Identifying Skills Needed -- Employers Skills
Preferences/Requirements
79
Strategy For Developing Your Skill-set --
Identifying Skills Needed -- Employers Skills
Preferences/Requirements
80
Strategy For Developing Your Skill-set --
Identifying Skills Needed -- Employers Skills
Preferences/Requirements
81
Strategy For Developing Your Skill-set --
Identifying Skills Needed --Soft Skills

• What soft skills will you need regardless of
  the entry path of origin?
• Hint - Refer To Study

82
Strategy For Developing Your Skill-set --
Identifying Skills Needed -- Soft Skills

• Soft skills you will need regardless of the
  entry path of origin?
• The following competencies are not considered
  directly in the IS audit Skill-set because they
  are not specific to IS auditors, but they are
  required in most professions.

83
Strategy For Developing Your Skill-set --
Identifying Skills Needed -- Soft Skills

• Managerial Communications and/or Public
  Speaking
• These are communication skills that are employed
  when discussing audit scope, findings and
  recommendations.

84
Strategy For Developing Your Skill-set --
Identifying Skills Needed -- Soft Skills

• Interviewing Skills
• This includes the effective gathering of
  information when interviewing management and
  completing control questionnaires.

85
Strategy For Developing Your Skill-set --
Identifying Skills Needed -- Soft Skills

• Negotiation Skills and/or Personal Selling
• This is needed to convince management to
  implement recommendations for positive change.

86
Strategy For Developing Your Skill-set --
Identifying Skills Needed -- Soft Skills

• Business Writing
• This is useful to produce understandable and
  usable reports and other written communications.

87
Strategy For Developing Your Skill-set --
Identifying Skills Needed -- Soft Skills

• Industrial Psychology and/or Behavioral Science
• This includes the ability to understand and
  effectively manage human behavior throughout the
  audit process.

88
Strategy For Developing Your Skill-set --
Identifying Skills Needed -- Soft Skills

• Project Management/Time Budgeting
• This includes the essential ability to
  effectively and efficiently manage time and tasks
  during audits. Auditors are frequently evaluated
  on meeting budgets.

89
Strategy For Developing Your Skill-set --
Obtaining Skills Needed --

• So much to learn so little time. I need to get
  there fast or just get there.
• Where should I go?
• Lets explore the following avenues for obtaining
  formal IS auditing skills/educationgtgtgt

90
Strategy For Developing Your Skill-set --
Obtaining Skills Needed --

• Participation in a mixture of on-the-job
  training and in-house programs
• This method of education requires that a
  professional already be an employee of an
  organization, and it is most appropriate where
  the technology presented has been adopted and
  implemented by a particular organization. The
  on-the-job training and in-house programs are
  well suited to provide employees with education
  in a well-defined and limited focus area, but are
  not well suited to offer a broad-based
  educational experience for the participants.

91
Strategy For Developing Your Skill-set --
Obtaining Skills Needed --

• Participation in workshops/seminars presented by
  professional organizations or vendors
• This method is available to professionals from
  many different organizations and it is valuable
  in presenting information that is new, or for
  exploring various approaches to IS auditing
  problems. In the workshop/seminar environment, a
  peer group can share perspectives not available
  from a single instructor. However,
  workshops/seminars are usually more expensive,
  take time away from the office, and are typically
  available only to professionals who are already
  employed in the workforce. Also, most seminars
  are limited in topical coverage and do not
  provide the in-depth, technical, hands-on
  competence required in IS auditing.

92
Strategy For Developing Your Skill-set --
Obtaining Skills Needed --

• Participation in university degree or
  certificate programs that are delivered within
  either a full-time or part-time student
  environment.
• These programs can lead to baccalaureate or
  graduate degrees or to specialized certificates
  or diplomas. This is the method that can provide
  professionals (or future professionals) with the
  most in-depth and broad-based educational
  experience. Thus, this is the method that ISACA
  has addressed with its model curriculum efforts.

93
Strategy For Developing Your Skill-set --
Obtaining Skills Needed --

• Regardless of your entry path, you need to be
  certified

94
Strategy For Developing Your Skill-setCertificati
on

• In the United States, usually it is considered
  desirable that IT audit personnel have received
  or qualify to receive the
• Certified Information Systems Auditor (CISA)
• Certified Information Security Manager (CISM)
• Certified Internal Auditor (CIA)
• Certified Information Systems Security
  Professional (CISSP)
• Certified Public Accountant (CPA)
• Certified Computer Professional (CCP)

95
Strategy For Developing Your Skill-set

• Strictly speaking, only the CISA title would
  sufficiently demonstrate competences regarding
  both information technology and audit aspects.

96
Strategy For Developing Your Skill-set

• For more information on the CISA certification
  see the following ISACA publications
• 2008 CISA Program Presentation
• http//www.isaca.org/AMTemplate.cfm?SectionCISA1
  Template/ContentManagement/ContentDisplay.cfmCon
  tentID40799
• Certification - Your Passport to Success
• http//www.isaca.org/AMTemplate.cfm?SectionCertif
  ication3Template/ContentManagement/ContentDispla
  y.cfmContentID39376

97
An Auditors Journey

• While pursuing the MSc. Accounting degree at UWI
  and writing a paper on EDP auditing in the
  Trinidad environment, I came across what was then
  known as the EDP auditors association.
• This was the beginning of my journey in what was
  then known as EDP Auditing

98
An Auditors Journey

• After completing my masters in accounting in
  1983, I went to work for a local accounting firm
  and performed financial audits for just under two
  years.
• Left the company in 1984 to pursue a diploma
  course Computerized Accounting and Auditing for
  Developing Countries at the University of East
  Anglia in Norwich England.

99
An Auditors Journey

• On my return in 1984, I had a brief stint at a
  local affiliate of one of the big six firms.
• During this time, I took every opportunity to
  immerse myself in anything computer related and I
  thought that I was ready to take and pass the
  exams.
• I took the exams in 1985,based on my
  recollection, failed by 3 points.

100
An Auditors Journey

• Not to be deterred, during the next 3 years, I
  took every opportunity to immerse myself in
  anything computer related
• One such opportunity was afforded by NIHERST
  through their course Structured Analysis and
  Design. I was the only student on the course
  with an accounting background and was only
  accepted when one student dropped out.

101
An Auditors Journey

• In the meantime, while working at the
  Organization and Management Division, I worked
  with my MSc Accounting colleagues to mobilized
  interest in the field and worked towards the
  formation of our local chapter and the successful
  inaugural conference on EDP Auditing in October,
  1987.
• I again attempted the exam in 1987 and was
  successful..

102
An Auditors Journey

• Now I was certified so what ?
• Well, I utilized the EDP Audit skills that I
  developed in the analysis of computer systems and
  operations in government and quasi-government
  departments while at the OM Division. But this
  was more Internal Consulting not Internal EDP
  Auditing in the pure sense.

103
An Auditors Journey

• In 1989, my next stop was at the largest
  regional agricultural organization in the
  Caribbean where I served as
• Internal Auditor ( Backup Accountant)
• Fraud Investigator
• Project Auditor
• Systems Analyst/ Implementer Support Person
• Great opportunity to develop skills, but talk
  about incompatible functions !!

104
An Auditors Journey

• In 1993 I responded to an opportunity to take up
  the position of Internal Audit for the government
  of the British Virgin Islands (BVI). I served as
  
• Internal Auditor
• Project Manager for the computerization of the
  accounting systems for the BVI.
  (Very helpful to this was my
  experience with the MIP Fund Accounting System
  that I upgraded and supported while at CARDI)

105
An Auditors Journey

• In 1995 I responded to an opportunity to take up
  the position of Auditor on the IS Audit team at
  the largest financial services group in Iowa.
  After proving myself was promoted to IS Auditor
  after my first year.
• The environment provided limitless possibilities
  for building my technical base through training
  and on the job experience. They provided the
  needed resources and actually rewarded you for
  passing your exams!!
• I served as Vice President of the Central Iowa
  Chapter during my final year in Iowa (1998).

106
An Auditors Journey

• Certifications pursued/acquired during just over
  three years at the Principal Financial Group
  included
• LOMA
• CSM
• CFE
• CIA
• CFSA
• Correspondence Course on computer networking
• CCP ( In process)

107
An Auditors Journey

• In 1998 I responded to an opportunity to take up
  the position of Senior IT Auditor at the MI
  Bank. This was the largest bank in Wisconsin.
  
• There my responsibilities included
• The yearly review of our MI DRP processes.
• Network Management Reviews
• PBX Security Reviews
• Operating System Reviews
• Y2K Preparedness Reviews

108
An Auditors Journey

• During my stay at MI, I completed the final
  exam to obtain my CCP certification.

109
An Auditors Journey

• In 2000, I responded to an opportunity to take
  up the position as Manager IS Audits at the
  University System of Maryland. I was and is in
  charge of planning and executing IS/IT Audits for
  the 13 member university system for the State of
  Maryland.
• After an initial assessment of the IT/IS
  environment at the respective institutions, the
  focus of IS/IT audit work was centered on

110
An Auditors Journey

• Periodic assessment of the IT/IS environment at
  the respective institutions direct our focus on
  the following IS/IT audit areas
• Network Vulnerability Reviews
• Incident Response Reviews
• Patch Managements
• Database Security Review
• Logical Access Reviews (Applications, Dbases,
  OSes)

111
An Auditors Journey

• Survival in this large an environment depends to
  a large extent on your soft skills.
• In order to leverage the vast technical skills
  present at the member institutions, the IT
  personnel had to be convinced that IT/IS security
  is not just a concern for the IT/IS Audit
  Department but is a concern to IT department as
  well.

112
An Auditors Journey

• To solidify the concept, the IT Security Group
  was created. The membership is made up of IT
  security personnel of the respective
  institutions. To maintain IT Audit independence
  our role was active advisor.
• Benefits
• Build support for the audit process. Audit
  Champions
• Assess/Adopt current IS/IT Security Best
  Practices
• Assess/Adopt appropriate security technology

113
An Auditors Journey

• Benefits Contd
• Review/ Update IT/IS security policy
• Self-audit by respective institutions of their
  network security infrastructure with periodic
  review by IS audit.
• Less auditee vs auditor tension during audits and
  quicker agreement with auditor recommendations
• Better understanding of the IT/IS risk
  environment at the respective Institutions.
• Other?

114
The IT Auditor SkillsetA Journey In
Versatility

• Presented By Lennox Brown
• CISA, CA,CCP,CIA,CFSA,CFE,CSM,FLMI,
• NSA (IAMIEM)

115
The IT Auditor SkillsetA Journey In
Versatility

• Presented By Lennox Brown
• CISA, CA,CCP,CIA,CFSA,CFE,CSM,FLMI,
• NSA (IAMIEM)