Actually, an auditor can audit anything you are willing to pay them to audit. If you did not pay for the auditor to examine control infrastructures at a technical level, then the problems existing there are outside the scope of the audit unless the symptoms of control weaknesses are so obvious they should be recognized in a superficial review.
As yet, I have not seen auditors digging into configuration management or change controls at the level described in the ITPI's "Visible Ops" or "Visible Ops Security." Some internal auditors may address controls at that level, and there are many auditors with the technical competence to do so, but such diligence is not typical in an external audit.
Audit scope may be specifically limited (as in the case of a SAS 70 review) to whatever the client wants - or does not want - the auditor to see. Audit engagements tend to be based on prevailing practice, judgement calls on risk management and compliance, and some "standard" audit techniques designed to address the more obvious controls. To date the market has not demanded or been willing to pay for audit examinations that dig deeply into security management, measurement, monitoring, and/or the cultural and political elements impacting security effectiveness.
Security professionals know you can be fully compliant yet not secure. Until you give the auditors full authority (and unlimited budget) to go beyond what everyone else is doing, you will continue to get superficial point-in-time or period of time reviews with limited value. Management can, of course, commission internal audit to perform or oversee such technical reviews, but for the most part they are willing to take their chances with the status quo rather than dig deeply and find problems that may be expensive to repair.
Finally there are the crooks who disable security controls to allow them to cover up money laundering, identity theft, or other crimes. In such an environment the technical depth of prevailing audit practice is not deep enough to prevent such people from covering their tracks. That is another reason auditors typically disclaim responsibility for fraud detection.
Slashdot Mirror
Actually, an auditor can audit anything you are willing to pay them to audit. If you did not pay for the auditor to examine control infrastructures at a technical level, then the problems existing there are outside the scope of the audit unless the symptoms of control weaknesses are so obvious they should be recognized in a superficial review. As yet, I have not seen auditors digging into configuration management or change controls at the level described in the ITPI's "Visible Ops" or "Visible Ops Security." Some internal auditors may address controls at that level, and there are many auditors with the technical competence to do so, but such diligence is not typical in an external audit. Audit scope may be specifically limited (as in the case of a SAS 70 review) to whatever the client wants - or does not want - the auditor to see. Audit engagements tend to be based on prevailing practice, judgement calls on risk management and compliance, and some "standard" audit techniques designed to address the more obvious controls. To date the market has not demanded or been willing to pay for audit examinations that dig deeply into security management, measurement, monitoring, and/or the cultural and political elements impacting security effectiveness. Security professionals know you can be fully compliant yet not secure. Until you give the auditors full authority (and unlimited budget) to go beyond what everyone else is doing, you will continue to get superficial point-in-time or period of time reviews with limited value. Management can, of course, commission internal audit to perform or oversee such technical reviews, but for the most part they are willing to take their chances with the status quo rather than dig deeply and find problems that may be expensive to repair. Finally there are the crooks who disable security controls to allow them to cover up money laundering, identity theft, or other crimes. In such an environment the technical depth of prevailing audit practice is not deep enough to prevent such people from covering their tracks. That is another reason auditors typically disclaim responsibility for fraud detection.