The auditors are coming! The auditors are coming! An upcoming audit can bring fear to even the most seasoned IT professional. Audits are seen as a necessary evil inconvenience in the IT world. They are often required activities to prove compliance with laws and regulations such as Sarbanes-Oxley (SOX). And they provide an independent and objective appraisal of the enterprise’s efficiency, effectiveness, and security. Auditors can also be the hammer needed by IT and security to influence critical changes. In order to have a successful IT audit, you should follow these three essential steps: Know your policies and standards. To prepare for an upcoming audit, you should know what you will be tested against. Auditors need to audit against something. That “thing” is normally your enterprise’s policies, standards, and procedures. They may also be auditing against a federal law such as SOX, an industry regulation like PCI, or international standards such as COBIT or ISO 2700X. You need to find out what your auditors will be using as a basis for their assessments. The easiest way is to ask them well before the audit. Then spend time prior to the audit to review those standards and ensure your enterprise meets the requirements. At the audit kickoff meeting, make sure you confirm those standards still apply to the upcoming audit.
Organize audit evidence. Auditors look for evidence that the organization has designed and implemented appropriate controls to address their compliance requirements and that there are no design, operational, or procedural deficiencies. Organize your IT controls to work with the framework that your auditors use. In addition, you should discuss with audit management the evaluation criteria and how the audit will be conducted. This will help ensure that you and your auditors communicate clearly about the audit’s objectives.
View the auditors as partners rather than enemies. In the audit kickoff meeting, you should understand the key areas on which they plan to focus. You may need to reprioritize projects or other activities to assist the auditors. This is often one of the pain points for IT in that they see the audit activity as interfering with their normal work. Rather than fighting the audit process, it’s better for everyone, including your enterprise, if you get along. The auditors have a job to do, just as you do. Help them do their job, and they’ll be better positioned to help you and ensure your enterprise is meeting its goals.
Your IT audit should confirm that key risks to the enterprise are identified, monitored, and controlled; that security controls are operating effectively and efficiently; and that business leadership and staff have the ability to recognize and respond to new threats and risks. By establishing expectations at the start of the audit, you will reduce potential misunderstandings. Expectations are a two-way street, where enterprise management should help auditors ensure that the audit process and deliverables are aligned and that all participants understand each other’s and the audit’s goals.
By preparing for the audit process, IT managers can ensure a smooth and well run audit with minimal interference with normal business activities.
For more information, see:
Do You Know Where Your IT Assets Are?
Auditing and Compliance in the Cloud
Can Your Business Survive a Software License Audit?
        | 
 |
