An IT Manager's Guide to a Successful Audit [ PART 5 of 5 ]
Summary Tips for a Successful IT Audit
There are some things that are sure to sink an audit engagement. They are easy to avoid; however, I see people fall into these traps all too frequently. Simply knowing what some of these are should enable you to identify them and hopefully avoid them.
- Communication. I probably don’t need to spend much time describing what this does to a relationship. For this engagement to be a partnership you need to communicate effectively with your audit team. This means regular meaningful communication. It also needs to be a two way street. If you feel a staff auditor isn’t forthcoming with information, escalate to the team lead or audit manager. Explain how you view this as an opportunity to partner with them and want more from the engagement. I’ve never known a manager, audit or otherwise, to turn down this type of offer.
- Don’t get a defensive attitude. The auditors are simply doing their job to assess the controls of your environment. Nothing they do or say should be taken out of context and assumed to be an attack on you or your team. They are about the most objective group of individuals you’ll ever meet. Every profession has “that guy”. The one who lives to make life miserable for everyone around them. You might even know one in your line of work. If “that guy” happens to be your auditor, take the high road. Nothing good will come out of doing battle on a matter of principle. Do your best to work with auditors as professionals and your engagements will run amazingly smooth. Cop an attitude and you’re in for a wild ride.
- Be willing to complete the simple tasks. While most technology professionals loathe creating documentation it is one of the easier tasks. Auditors will key on this every time. Spend the time and document your process. Not only does this make for a more successful audit, it helps with disaster recovery planning, cross-training, and reducing support costs.
- Talk with your auditor about their expectations and explain yours to them. It may be unrealistic for you to expect to have no gaps or deficiencies. Working with your audit team to communicate and document expectations will reduce the chance that one or both parties are completely surprised during the reporting phase.
- The more active a management team is in the audit the better chance for a satisfactory rating. I’m not advocating that a manger be the point of contact or run the audit engagement. They do however need to attend the kick off meetings, negotiate scope and time lines, provide input during fieldwork and influence the final report. If your team sees you interacting with auditors, they will take their cue from you. Hide and they’ll hide, build partnerships and they’ll build partnerships.
- Having a single point of contact works best for both teams. The auditors don’t waste time tracking down the individuals responsible for a certain function or for documentation. Your team isn’t constantly interrupted to provide testing evidence or documentation. The point of contact becomes the mediator. They can help narrow scope, revise testing scenarios and work with the auditor to streamline the request before it gets to your operational teams. Having a good point person working with auditors is invaluable. If you are in a highly regulated environment, such as banking or healthcare, having a person dedicated to working with auditors, tracking remediation plans, or writing management responses is a necessity for most mid-sized or larger organizations.
- Negotiate a win-win situation with the audit manager upfront. Find out what they want to accomplish through the audit and tell them your objectives. Find some common ground and work to build a scenario which gives you both the best opportunity to succeed. Failure to do this step is only going to hurt you. The audit is going to happen with or without your input. You might as well make the best of it and find a way to turn this into a positive experience.
- Preparing for an upcoming audit is essential. Start building audit prep into your daily routine. Make sure documentation is part of the build process. Tie operational processes to policy or control statements. The more work you do to prepare for an audit the less you’ll have to do during the audit. I’m usually more successful and comfortable performing tasks according to self-imposed deadlines than to seemingly arbitrary deadlines imposed by others.
- Self-audits are a great way to prepare for an audit. If you’ve gone through an audit you can use the same testing scenarios from the last cycle. This can be used as a dress rehearsal for your next audit. Your team will be better prepared and equipped to respond during the actual audit. You also get a sneak peek into what’s happening in your organization. One of the things I always hated was finding out from an auditor that my team had decided at some point to not follow documented procedures without telling me. Sometimes they just changed the procedures to meet operational goals and in most cases the changes were warranted. However, if they aren’t documented, you’re going to be cited for this. Being able to identify gaps earlier and address them behind closed doors is one of the greatest values of the self-audit. If you do this frequently enough and your audit cycles are long enough the discrepancy might not even be found by an auditor based on their look back period. Having gone through the self-audit will give your team the confidence they need to interface with the auditors and build a solid relationship with them. Hopefully this will help bridge any communication gaps and reduce confusion during the audit.
There is no way to ensure you’re going to come out of an audit unscathed. You can however minimize any potential negative impacts by being an active participant. The worst possible thing you can do is to let what happens, happen. This is a naïve and dangerous approach. By building relationships, engaging in the entire process, communicating and negotiating with the audit team, you stand a very good chance of improving the rating you would have received otherwise and are at least somewhat in control of your destiny.