An IT Manager's Guide to a Successful Audit [ PART 3 of 5 ]
Communicating Throughout the IT Audit Process
How you view your audit team will directly impact your ability to communicate and partner with them. If you view this relationship as adversarial, you’ve got a long road ahead of you.
Communication channels must be established quickly. Both teams need to know the protocol for whom to communicate with and how. One of the biggest concerns commonly addressed by management is poor communications. Finding ways to improve this over the short term certainly won’t hurt.
Assigning a single point of contact for each audit helps the transition into and out of the audit run much smoother. It also helps alleviate some of the pressures commonly associated with an audit.
Everything in an audit has to be documented. Purpose, scope, testing scenarios, test evidence, opinions, reports, everything. Get used to the fact that agreements, assertions, and other items which are typically ok in verbal form for day to day operations may not suffice in an audit.
Attitude is Paramount
Your attitude toward auditors will set the tone for the engagement. Try viewing them as a group who is trying to help you become a better organization. With this approach, you immediately want to learn from their experiences, want to hear their insight, want to mine as much knowledge from them as possible. This is the basis for a great audit engagement.
When someone sees the opportunity to build a relationship with you, they typically take a different approach to their interaction. “You work with me…I’ll work with you.” We’re all the same at some basic level. We want to be liked and respected. Keeping things on an even keel with professional courtesy and respect will enhance your experience.
When your staff members see you take this approach they will begin to emulate it. They will try to work with the auditors and find solutions that benefit both parties. If, however, you close your office door and mock the auditors or their work, your team will also exhibit this behavior and it will be hard to hide. Their approach to the engagement will be evident and your true colors will be discovered by the auditor.
Communication Channels
Communication channels must be established quickly. Both teams need to know the protocol for whom to communicate with and how. Will there be weekly meetings? Who should attend? Will minutes be taken and shared? When do we escalate issues? It’s often best to take care of things at the lowest levels. This is where most of the knowledge is and it just makes sense. Give people the benefit of the doubt when following up. Perhaps they just missed an email or voicemail. Maybe they forgot. Usually people aren’t trying to dodge you. This isn’t an excuse for repeated communication gaffs or a lack of professional courtesy. Just don’t be too quick to judge if they’ve only missed one phone call.
Get every request from the audit team in writing. It is inevitable that there will be miscommunication. These are two teams who don’t regularly work together. They are forced to complete a high visibility project in an extremely short timeframe. Getting requests in writing minimizes the chances of miscommunication. You also need to enforce with your team that they aren’t to make assumptions as to what has been requested. If they don’t understand, or have suggestions that may yield better results, have them take this to your point of contact for review with the audit team.
Single Point of Contact
Assigning a single point of contact helps ensure consistent communications and processes. The audit timeline is typically very short. Auditors have a “production” schedule just like the rest of us. They want to get in and get out as quickly as possible. Delays in your audit means possible impacts down the road. Learning how to communicate with a large group of people or trying to interpret how each individual processes information is time consuming. You don’t have this luxury during the audit process. Giving the audit team a single point of contact gives them some reasonable assurance that your team will be available when needed.
By identifying a single point of contact from your team, you can minimize the operational impacts. This will be accomplished by reducing the number of duplicate requests and having an experienced staff member scope and review test scenarios before they are given to your team. There is nothing worse than spending hours gathering evidence for an auditor and then being told after a 5-minute review that the data isn’t what they needed. Sometimes auditors are just a little overzealous as well. They want to find that big issue that’s going to look great to a performance or promotion review board. They’ll take as much access to your team as you’ll give them. While you don’t want to hinder this access, you certainly need to control it. The single point of contact ensures questions are being directed only to those who have the answers.
Get it in Writing
Auditors want to see everything in writing. Having a policy or procedure your team follows can only be validated if it is written down. Using undocumented controls or procedures isn’t a bad thing. You won’t be cited for using them unless they contradict your existing documentation. In most cases, you’ll be cited for not having a written, repeatable process. Management may have to get involved in this case as not everything can be written down. You may have some wiggle room if you can show that a written procedure would create a hardship, isn’t cost effective or doesn’t mitigate any risk. You’ll be hard pressed to find many examples of these cases though.
You are going to create mounds of documentation during an audit. Therefore, the scoping activity discussed in our next article is so important. Typically, auditors will want to run reports based on certain criteria to show evidence a control is working. In some cases, such as system configuration, you might not be able to run a standard report. You might be able to provide a configuration file or possibly a screen shot to satisfy their needs. Either way your team needs to be prepared for the effort required to identify sources, specify report parameters and then run the reports. You’ll usually underestimate this your first time through, so add a buffer to the time lines. It is better to under promise and exceed expectations than the other way around.
.
.
.
Download the entire guide by visiting the following link.
Paper: An IT Manager's Guide to a Successful Audit
This paper provides an overview of the audit process and how IT management can insert themselves into this process to benefit from the exercise.
