Forewarning – this is yet another rant. The views expressed herein are personal and do not reflect any viewpoint of my current employer. But I do feel bad because we have an advertisement right on the facing page of the article that I point out in this posting…. In my seven years as a member of the IIA and a Certified Internal Auditor, the IIA has not once responded to inquiry emails nor answered their phone when I have a question, so don’t feel so bad about what I am about to point out.
A couple days ago I decided it was time to clean up the stack of Internal Auditor, ISACA, ISSA, QST, Nuts-n-Volts and other magazines that have accumulated, so I packed them all in my brief case. The motivation then becomes one of lightening my load, so I read them and stack them at the office – a good unload location. While in the train the other day I pulled December’s issue of Internal Auditor and read through the table of contents. This is the way that I read magazines, hardly ever reading cover-to-cover, but picking out topics of interest and going on to the next publication.

With all the buzz about cloud computing and virtualization, one article that caught my interest was titled “The New Age of Virtualization” on page 25. I excitedly turned to the article, read through the introductory lines on the basics, then came to the section titled ‘Auditing Virtual Machines’, where there were eight sub-sections: security, segregation of duties, change management, configuration management, data integrity, disaster recovery, training.
Not one of these sub-sections points out in detail the uniqueness of these audit areas as it pertains to virtual environments. Even the security and segregation of duties sections do not point out that virtual disk systems shared between virtual systems should be evaluated. Change management applies to all systems – virtual or not, and same for configuration management. In data integrity, however, the authors finally point out the issues of cross-partition access in a single sentence; which is a subject deserving much more attention. Then disaster recovery and training …. ditto – same for all systems.
Of course, what should I expect from a magazine like Internal Auditor? The title alone makes us yawn. However, many internal auditors do perform IT audits and any of those audits are increasingly on virtual systems, making this subject very important. The more I read articles from ‘thought leaders’ and the more that I see how services are delivered (by other teams), the more I realize that many consultants out there are delivering expensive fluff.
On, on…. 73s, and please comment.