The second is through informal consulting. I may stand in a hallway, sit in a cubicle or simply respond to an e-mail with a casual evaluation or an answer to a question. An example of a question would be, "We're thinking of consolidating our 100 Unix boxes down to 10. What do you think the risks might be?" or, "What resources do you have that will help us to develop a penetration-test charter?" We talk about whatever they are concerned about or want to know. Both aspects of the job are important.
What is an internal control? An internal control is any and all the means -- tangible and intangible -- that can be used to ensure that established objectives are met. This will also include an organization's procedures that increase its efficiency and ensure that its policies are implemented and that its assets are safeguarded. For IT, the main controls that any organization needs to be concerned with -- at a minimum -- are for access security, problem and incident reporting, change management and application development.
What is the most important IT skill or aptitude you need to do your job? To do it well, I need to understand how technology works, how technology people view their jobs and how IT fits into the organizational picture. That gives me the broader viewpoint I need to suggest improvements. I don't need to know how to do the technical jobs, but I need to understand how they fit into the overall scheme of things. Another aptitude that auditors need is curiosity and persistence. We need to be able to continue to ask questions until we're satisfied with the answer. Persistence is not aggressive and pushy but more along the lines of determined and consistent.
What is the most important soft skill or personality characteristic you need to do your job? Communication skills are critical. It's the people skills and the ability to get along with others -- to talk to them at their level (either higher or lower than my own) -- that makes them comfortable to talk with me. I could just look at data and procedures and form an opinion, but it would be shallow at best. IT people really hold the key to a well-run IT organization, and the auditor's ability to get them to talk about their jobs is vital in gaining an understanding of what is really happening. I think that an important personality characteristic is to be approachable. No one wants to talk to someone they find scary or untrustworthy. Being approachable must also imply that you have integrity and [can be trusted with] what they want to say to you.
What is the biggest misconception about what you do? That I am somehow the organizational police looking only for violations (internal control concerns) and then enjoying handing out organizational tickets (audit findings). That's a harsh viewpoint that the profession has tried to step away from for a very long time. We're mostly succeeding, but we have not yet arrived at audit Valhalla.