IT audit tool advice
maharaliel
Member Posts: 119
in CISM
Dear all;
I am working in an organization as IT auditor and our organization has many IT systems that need to be audited, we have many database that run on Oracle and SQL server, our network uses generally Cisco devices and we have many applications that are web based and accessed on internet. My supervisor requested me to propose the audit tools that should be used to audit our systems and I proposed IDEA, CPA(Cross Platform Audit) and Pentana but he asked me to add other tools to audit the efficiency and effectiveness of IT systems specifically. So I would like to ask you advice on tools that can be used to audit IT system in the environment that I have described.
I am working in an organization as IT auditor and our organization has many IT systems that need to be audited, we have many database that run on Oracle and SQL server, our network uses generally Cisco devices and we have many applications that are web based and accessed on internet. My supervisor requested me to propose the audit tools that should be used to audit our systems and I proposed IDEA, CPA(Cross Platform Audit) and Pentana but he asked me to add other tools to audit the efficiency and effectiveness of IT systems specifically. So I would like to ask you advice on tools that can be used to audit IT system in the environment that I have described.
Comments
-
gespenstern Member Posts: 1,243 ■■■■■■■■□□I worked for one MSP and they had Everest/AIDA64 with their own templates/scripts. Basically this tool runs on all domain computers (or workgroup ones but in this case we have to mess with passwords in the script) and produces a CSV excel importable output on each computer. Program is portable and doesn't install anything on target machines. You just run a script with local admin on all servers/workstations privileges from a single server/pc and it gets the job done. All the info: hardware, software installed, when, local policies, which GPs are applied, any major stuff from event viewer, etc. Usually it takes a day to collect all the info, but, for the most part it's talking and negotiating how do we do that with the client. Technical thing takes no more than an hour, querying thousands of machines at once and putting output on some share.
Then they had a homegrown parser that parsed all the files looking for specific items and produced a report on what could be wrong what could be so-so how do we improve this or that what is a violation of PCI-DSS recommendations, Microsoft recommendations and/or industry best practices. Then the auditor opened a word document with typical audit report content and put in there what was discovered and added his own thoughts/recommendations according to audit guidelines.
So this solution worked on Windows machines only.
And I never heard about tools that you proposed in this topic.