[PEN-TEST]

[Mark Williams <mdwilliams_44 () YAHOO COM>]

> end questions are these.
>
> How can companies decide which auditors really do a
decent job
> and are worth
> their value ?

As an Auditor of some years experience, I would like
to add my 2 cents worth. The biggest and best
recommendation is from other auditees. If an auditor
won't share his customer list or at least a selection
of references get out quick!

> Are there any certifications or Industry groups out
there or on
> the horizon
> that will evaluate and endorse auditors ?

ISACA, the Information Systems Audit and Control
Association, of which I am a member, sponsors the CISA
designation (which I hold).  Like all designations,
they can only tell you so much. However the CISA shows
that the auditor has at least 5 years of consistent
audit and/or security practice experience. It also
shows that they understand the concepts and procedures
involved in auditing and controlling Information
Systems. Unfortunately it is no guarantee of quality.

As one wise auditor once told me "there are those who
have 20 years of experience, and those who have one
year of experience twenty times".

> What is the best approach from a Network Admin
position to counter end
> results delivered by auditors if they seem to be in
error ?

First be in on the original discussions as to scope
and expected results. Then make sure you are talking
to the auditors and get their results before they show
management. I for one always double check my findings
with the admin crowd to avoid getting egg on my face
as these auditors obviously have. (I should also
mention that I have some years experience as both a
System Admin and as a Director of Data Security so my
experience may not be average).

> Has anyone else been through this, and is destined
to get worse before
> getting better ?

Getting worse? Probably. I hesitate to say it, but
many large firms are realizing there is gold in IS
Audit. With very few CISAs out there to troll, they
are taking immature, often inexperienced auditors, and
forcing them into the IS mold. But then the big 5 have
always used their clients as a training ground for new
hires.

I think your only defense is to ensure that you know
the quals and background of the Lead Auditor or Audit
Manager assigned to your audit, and question his
credentials before things begin. Make sure that he at
least is CISA, and preferably all those working under
him also (good luck).

> Thanks for any thoughts or comments,
> Derrick

I am not sure this helped, but it is an opinion from
someone with some years of experience. I now work as a
consultant, so I can look back without the blinders on
I think.

Mark Williams, CISA
secur-IT.com Inc

markw () secur-it-now com



__________________________________________________
Do You Yahoo!?
Yahoo! Mail - Free email you can access from anywhere!
http://mail.yahoo.com/