Ian Cooke, CISA, CGEIT, COBIT-F, CFE, CPTS, DipFM, Six Sigma Green Belt, ITIL-F
One of my grandmother’s favorite sayings was, “There is more than one way to skin a cat.” This means that there is more than one way of achieving an aim. In IT auditing, this is most certainly the case. Indeed, not only is there more than one way of achieving your aim, there are often instances when the perceived or accepted best practice is not practical.
This, I believe, is true when auditing Oracle databases, where the accepted best practice is to validate the database with a security scanner. But this may not always be possible. For example, the costs may be prohibitive for smaller companies, or as a consultancy, you may not be given permission to scan a mission-critical database.
In these instances, computer-assisted audit techniques (CAATs) come into their own. CAATs can be tailored for multiple tasks, and when combined with information taken directly from the Oracle database, they can be used to provide assurance for a number of risk concerns, including many of those defined in the main Oracle Security Standards
. Furthermore, your company can define its own standard within the CAAT software and use this as a basis to compare against all of its Oracle databases, thus increasing compliance and speeding up the audit process.
So there are indeed many ways to skin a CAAT.