Over the years, audits have gotten a pretty bad rap. They can take a long time and seem only to point out everything you’re doing wrong, not to mention the million others things they pile on your to-do list. IT audits don’t have to be that way however, nor should they be. There are many positives that come from audits.
Here are some tips to help get the most out of your next IT audit.
Select a Qualified Auditor
You may not have the choice of whether or not to be audited, but you do get to choose who conducts the IT audit. Select a firm with experience and knowledge. Audits are a great way to learn new threats, technologies, vulnerabilities, etc., so be sure to select an auditor that is willing to help you learn. Find a firm that is quick to respond and is open for discussions and questions.
Assign an Audit-Owner
Identify an individual from your organization to lead the audit efforts. This individual should be the ”go-to” person responsible for compiling documentation, communicating with the auditor, redirecting requests and being available while the auditor is onsite. Identifying an audit-owner to track documents and requests will help the audit move along efficiently. It’s also important to remember the auditor’s progress is dependent upon the audit-owner’s responses. Make sure this individual has time dedicated to the engagement.
Some auditors will request documentation prior to arriving onsite. Be prepared to provide them with as much as you can. Of course, there will be some items that must remain onsite due to availability or confidentiality; so, make sure to have those ready when the auditor arrives. Also, remember that prepping for an IT audit is an ongoing process. If you’re scrambling last minute to throw everything together, you can expect the audit to take much longer. Compile documentation and evidence throughout the year, and save it in a central location so it can easily be found.
Another part of being prepared is understanding the audit process and what to expect. Make sure the auditor has outlined a clear plan for your organization. This should include a schedule and timeline.
Auditors know that most people are not IT experts. Many of you are probably Vice President or Compliance Officer or even HR manager, as well as tasked with leading IT decisions. If you don’t understand something, ask for clarification. The IT world is full of terminology that many find unfamiliar. Don’t be afraid to clarify and validate information. This will help you avoid wasting time gathering incorrect documentation.
The tips above won’t make the audit successful unless you go into the audit with an open mind and a positive, ready-to-learn attitude. Auditors don’t want to be the bad guys. Look at the audit as a way to learn new things and improve your organization.
Top Tips for Developing Effective
Security Awareness and Training Programs
To implement and maintain an effective information security awareness and training program, several “best practices” and building blocks should be used.