I presented a session at the Nebraska Cert Conference yesterday about working with IT auditors. It was quite funny to watch the facial expressions of people in the room as the session progressed. At the beginning I asked for a show of hands to see if any IT auditors where present. About half a dozen in the crowd of around 30 raised their hand.
The basic premise of my presentation was that IT management needs to be more involved in the IT audit process. As the session progressed I saw lots of smiles and head nods from the auditors. The rest of the group nodded their heads in agreement, but it wasn't the same. It almost looked like a football team that was defeated before they even hit the field. They knew they needed to play the game but had resigned themselves to the inevitable outcome before the first snap.
This tells me something about our current climate. As the frequency and depth of IT audits are increasing due to the ever changing regulatory environment, tensions are running a little high. IT groups know they are under the gun. With every new regulation comes more work and an eventual audit. This can be quite a pressure cooker to operate in on a daily basis.
I place responsibility squarely on IT management to change this culture. My company's name is Integrity. In essence it's about doing the right thing even when nobody's looking. IT managers need to change the culture in their organizations. Not that anyone is doing a bad job but sometimes we let things slide when nobody's looking over our shoulder. Log analysis or documentation get put aside when you've got network outages or development bugs to fix. Then when an audit is announced the tension runs high because everyone knows there are some things that were shelved and never picked back up.
IT management needs to do a better job of making sure their teams are provided ample opportunity to do the job correctly and completely. They should even go so far as to require it. Make it a part of performance reviews if needed. When management takes the details seriously, so will their teams.
My guess is that once we start to sweat the details in IT, audits won't be so stressful. And when audits are so stressful, we might actually begin to appreciate what they tell us about our organizations.