I searched the web for checklist templates on IT security auditing today and found a site which offered some MS Office documents used as a templates in former audits at German banks.

After downloading all of them I started to take a quick look through them to sort out those which will help me in our upcoming audit. The third document (german) I opened up in OpenOffice.org was a Excel sheet with two tables where the second one was initially opened, so I switched to the first and was presented the seventh page of 17 in all. The auditing questions in there were about user management and creation and expiry of accounts.

As I scrolled up a bit I saw, that there were not only the questings but also their respective answers still in this document. It seems that some fool who audited this bank put the document on his webpage without cleaning the information from it. At least 6 pages of the first table contained answers outlining the current IT landscape with some of them marked as "high risk" by the auditor himself.

Example from the auditing report

Most of the text is about what kind of rules are not defined and where exceptions to their procedures can occur. Maybe enough information to put their infrastructure at risk!

Conclusion: Even if you run through a audit on a regular basis, no one spares you from the imcompetence of the auditor!