Integrity Blog

An IT Manager's Guide to a Successful Audit - PART 3 - Communicating Throughout the IT Audit Process
An IT Manager's Guide to a Successful Audit [ PART 3 of 5 ]

Communicating Throughout the IT Audit Process

How you view your audit team will directly impact your ability to communicate and partner with them. If you view this relationship as adversarial, you’ve got a long road ahead of you.

Communication channels must be established quickly. Both teams need to know the protocol for whom to communicate with and how. One of the biggest concerns commonly addressed by management is poor communications. Finding ways to improve this over the short term certainly won’t hurt.

Assigning a single point of contact for each audit helps the transition into and out of the audit run much smoother. It also helps alleviate some of the pressures commonly associated with an audit.

Everything in an audit has to be documented. Purpose, scope, testing scenarios, test evidence, opinions, reports, everything. Get used to the fact that agreements, assertions, and other items which are typically ok in verbal form for day to day operations may not suffice in an audit.

Attitude is Paramount

Your attitude toward auditors will set the tone for the engagement. Try viewing them as a group who is trying to help you become a better organization. With this approach, you immediately want to learn from their experiences, want to hear their insight, want to mine as much knowledge from them as possible. This is the basis for a great audit engagement.

When someone sees the opportunity to build a relationship with you, they typically take a different approach to their interaction. “You work with me…I’ll work with you.” We’re all the same at some basic level. We want to be liked and respected. Keeping things on an even keel with professional courtesy and respect will enhance your experience.

When your staff members see you take this approach they will begin to emulate it. They will try to work with the auditors and find solutions that benefit both parties. If, however, you close your office door and mock the auditors or their work, your team will also exhibit this behavior and it will be hard to hide. Their approach to the engagement will be evident and your true colors will be discovered by the auditor.

Communication Channels

Communication channels must be established quickly. Both teams need to know the protocol for whom to communicate with and how. Will there be weekly meetings? Who should attend? Will minutes be taken and shared? When do we escalate issues? It’s often best to take care of things at the lowest levels. This is where most of the knowledge is and it just makes sense. Give people the benefit of the doubt when following up. Perhaps they just missed an email or voicemail. Maybe they forgot. Usually people aren’t trying to dodge you. This isn’t an excuse for repeated communication gaffs or a lack of professional courtesy. Just don’t be too quick to judge if they’ve only missed one phone call.

Get every request from the audit team in writing. It is inevitable that there will be miscommunication. These are two teams who don’t regularly work together. They are forced to complete a high visibility project in an extremely short timeframe. Getting requests in writing minimizes the chances of miscommunication. You also need to enforce with your team that they aren’t to make assumptions as to what has been requested. If they don’t understand, or have suggestions that may yield better results, have them take this to your point of contact for review with the audit team.

Single Point of Contact

Assigning a single point of contact helps ensure consistent communications and processes. The audit timeline is typically very short. Auditors have a “production” schedule just like the rest of us. They want to get in and get out as quickly as possible. Delays in your audit means possible impacts down the road. Learning how to communicate with a large group of people or trying to interpret how each individual processes information is time consuming. You don’t have this luxury during the audit process. Giving the audit team a single point of contact gives them some reasonable assurance that your team will be available when needed.

By identifying a single point of contact from your team, you can minimize the operational impacts. This will be accomplished by reducing the number of duplicate requests and having an experienced staff member scope and review test scenarios before they are given to your team. There is nothing worse than spending hours gathering evidence for an auditor and then being told after a 5-minute review that the data isn’t what they needed. Sometimes auditors are just a little overzealous as well. They want to find that big issue that’s going to look great to a performance or promotion review board. They’ll take as much access to your team as you’ll give them. While you don’t want to hinder this access, you certainly need to control it. The single point of contact ensures questions are being directed only to those who have the answers.

Get it in Writing

Auditors want to see everything in writing. Having a policy or procedure your team follows can only be validated if it is written down. Using undocumented controls or procedures isn’t a bad thing. You won’t be cited for using them unless they contradict your existing documentation. In most cases, you’ll be cited for not having a written, repeatable process. Management may have to get involved in this case as not everything can be written down. You may have some wiggle room if you can show that a written procedure would create a hardship, isn’t cost effective or doesn’t mitigate any risk. You’ll be hard pressed to find many examples of these cases though.

You are going to create mounds of documentation during an audit. Therefore, the scoping activity discussed in our next article is so important. Typically, auditors will want to run reports based on certain criteria to show evidence a control is working. In some cases, such as system configuration, you might not be able to run a standard report. You might be able to provide a configuration file or possibly a screen shot to satisfy their needs. Either way your team needs to be prepared for the effort required to identify sources, specify report parameters and then run the reports. You’ll usually underestimate this your first time through, so add a buffer to the time lines. It is better to under promise and exceed expectations than the other way around.

.

.

.

Download the entire guide by visiting the following link.

IT Manager's Guide to a Successful IT Audit
White Paper: An IT Manager's Guide to a Successful Audit

This white paper provides an overview of the audit process and how IT management can insert themselves into this process to benefit from the exercise.

Download White Paper

An IT Manager's Guide to a Successful Audit - PART 2 - Understanding and Working with Auditors
An IT Manager's Guide to a Successful Audit [ PART 2 of 5 ]

Understanding and Working with Auditors

Not all audits are equal. There are different reasons to audit, so it would be reasonable to assume that audits would be initiated by various groups. We’ve reviewed a little about how the type of audit can impact you, now let’s look at how the auditor can impact you. Ronald Reagan was famous for using the quote “Trust but Verify” when dealing with Soviet Union in the 1980’s. This can also be an approach to take with auditors. In general, auditors aren’t “out to get you”, however, you should always question the motives of the individuals and strive to understand the details of your audit engagement.

You need to ask questions like, “Who do they work for?”, “What impact does the audit result have on them?”, “Do they have experience in this field?” These types of questions will help you assess the best way to approach and communicate with your audit team. You both have a stake in a successful engagement regardless of whether you “work” for the same company. Your motives for success might be vastly different, but this in no way diminishes the fact that you both need to score a win. An auditor is typically considered successful if they routinely find gaps and provide solid opinions on how an organization can improve. A department is considered to have successfully passed an audit if they have no significant or material gaps that need to be remediated. Acknowledging that we are not perfect, and that we may have room to improve, allows for both the auditor and entity being audited to have a successful engagement.

The first myth that needs to be debunked is that auditors are trolls who live under a bridge and only come out to make your life miserable. Nothing could be further from the truth. In my experience auditors are quite often friendly individuals who have a wealth of knowledge they’re dying to share. All you have to do is ask. They typically have seen many different technologies used in companies of all sizes and in various industries. As an IT manager, that knowledge is invaluable. Tap into it.

Many IT auditors today were at one time very skilled technically. So much that the technology now “bores” them and they are interested in helping improve processes used around the technology. Many IT auditors have become Certified Information System Auditors (CISA) by the Information Systems Audit and Control Association (ISACA). The CISA credential requires 5 years of experience and continuing education. As with all professions and certifications, there are those who slipped through the cracks and shouldn’t be practicing, but those are few and far between in the IT audit ranks.

Another myth about auditors is that they have no interest in your operational goals and objectives. They want to lock down your organization no matter the cost. While this might be true of some external auditors, think about it for a second. Auditors are just as informed about your company’s performance and its impact on their jobs as you are. Typically, bonuses are paid to everyone based on the company’s performance. Auditors don’t get exempted from this. They are just as concerned about your organization succeeding as you. They simply have a different perspective of the impacts that gaps in your organization may create for the company. Once you learn to respect that perspective and work with it, your life will become much easier.

Occasionally I hear discussions were auditors are described as “by the book”, a “Boy Scout”, someone who is inflexible and can’t be reasoned with. The only time I’ve ever seen this is when the IT manager is exhibiting similar characteristics. Then it’s usually a matter of pride on both sides, nobody is willing to back down. Almost every audit I’ve been involved with has resulted in some sort of negotiation as to what is going to be reported as a gap, its criticality, timeline for remediation - the list goes on and on.

Internal Auditors

Internal auditors are probably the easiest to work with because they are your peers. You work for the same company, have the same ultimate boss, understand the company’s culture, etc. They’re one of the gang. You are able to build a relationship with these individuals because they are available to you. You probably work with them at least on a yearly basis, if not more often. It’s like any other relationship. As you spend more time with them you begin to understand their thought process, motivating factors, and communication style. They in turn are learning the same about you and your team. Things get easier with every engagement.

Internal auditors typically have some sort of independent or dotted line reporting structure to the board of directors or other executive management. This helps to ensure a level of objectivity in the audit process. They have a reasonable level of assurance that they won’t be retaliated against for finding gaps in a process with fewer levels of management oversight. Don’t look at this as if everything they know goes straight to the top, it doesn’t. In fact, the board typically only sees the most critical of issues in their reports. This reporting structure is designed to support the integrity of the audit process and not to make sure the head honchos know all of your shortcomings.

Since internal auditors work for your company, their motives are usually somewhat impacted by what’s in the company’s best interest. Auditors, attorneys, information security professionals, just about everyone struggles with this. How do I balance what I think is best versus what is best for the company? It is difficult to find the equilibrium, but we all must do it.

External Auditors

If your company doesn’t have an internal audit group or you are hoping to add a little bit of independent validity to the audit outcome, a company might hire an external audit firm. While this is typically seen as a good opportunity to get an independent validation, be careful. (Side Note: If you are doing due diligence and have been provided an audit report on a company prepared by an audit firm retained by the same company, you should understand the risk. Obviously, there are criminal or civil penalties for false or misleading statements, but when something can go either way…it’s going to go in the direction the money flows. After all, this is an audit firm that is in business to…make money.)

You can still have a level of rapport with your external auditors, but I’d probably be less forthcoming about all of my secrets than with my own internal auditors. Their motives are shared between keeping your business and their obligations, legally and professionally. They also have their own corporate reputation to worry about.

Typically external auditors have very little interest in what happens to your company as a result of this audit. Notice I didn’t say they don’t care, there just isn’t much at stake for them. They are simply there to report on how well you comply with the stated controls. This can be the most dangerous audit to navigate. You typically have very little leverage with these auditors during negotiations so you’ll have to win them over with your charm. Find some common ground with external auditors. Something that makes a human connection. Heck…take them to lunch. Even if they must pay for their own meal to avoid a conflict of interest, it’s harder to have a real disdain for someone with whom you’ve shared a meal.

Be very careful what information you provide to external auditors. Don’t ever hide information, give half the story, or mislead them. Always think of the Miranda Rights. “You have the right to remain silent. Anything you say can and will be used against you…” Do you remember growing up and your little brother or sister just wouldn’t stop rambling on to your mom when you both got caught doing something you shouldn’t have? Your mom learned things she would not have otherwise found out about if they would have just stopped talking. Give auditors what they ask for, but don’t offer up every piece of information you can find. This subject will be discussed further in the scoping and fieldwork section of a later post.

.

.

.

Download the entire guide by visiting the following link.

IT Manager's Guide to a Successful IT Audit
White Paper: An IT Manager's Guide to a Successful Audit

This white paper provides an overview of the audit process and how IT management can insert themselves into this process to benefit from the exercise.

Download White Paper

An IT Manager's Guide to a Successful Audit - PART 1 - Introduction to IT Audits
An IT Manager's Guide to a Successful Audit [ PART 1 of 5 ]

Introduction to IT Audits

The IT audit process is one of the most misunderstood and loathed processes in the IT world. A lot of this comes from the fact that the process is not embraced by IT management as an opportunity for a partnership. Once managers realize they can utilize the audit process to highlight some of their own business concerns and objectives, the IT audit process becomes less adversarial and more about building relationships.

This blog series will provide an overview of the audit process and how IT management can insert themselves into this process to benefit from the exercise. It’s important to remember your attitude will set the tone for the engagement. You will get out of the process as much as you choose to put into it. This is a great opportunity to partner with someone who has an objective view of your organization and who in most cases will not be a “yes-person” because they are not trying to sell you products or services as they assess your organization.

IT’s Involvement within an Organization

Information Technology departments are typically involved in almost every aspect of a business today. This is great in some respects and not so great in others. IT managers are finding it easier to transition into corporate leadership positions because their IT work exposes them to multiple areas of the company; where some of their business unit (BU) peers only get to see the line of business they work with, i.e. Sales, HR, Finance, Operations, Marketing, etc. This also means that whenever a business unit is audited, IT will be involved to some degree. Even if the audit focus is only on the BU process, the BU probably uses technology at some point in that process. Finance uses an electronic accounting system to store POs, Accounts Receivable/Payable, Payroll, etc. The auditors will want to know how access to each of these components is restricted, how often access rights are reviewed, etc. Even though IT isn’t the focus of the audit, they are still involved in the audit. It’s important for IT managers to have a seat at the table during the audit scoping phase, which we’ll talk about later.

When IT systems and processes are the focus of the audit, the roles and responsibilities are much easier to ascertain. The auditors are looking at your standard operating procedures. How do you limit access to systems? Is there segregation of duties? How is change management handled? An audit requires that process be documented. Two questions typically arise during an audit. First, how well is the process followed? Second, is the work documented and available to use as evidence that the process was followed?

Common Audit Types

There are various reasons that an audit engagement could occur, but we will focus on three main areas: Compliance, System Discrepancy and Process Assessment. These are the audits in which IT would most frequently be engaged. While the phases and objectives of an audit remain the same in general terms, it is important to understand how the audit’s focus may change the scope, groups impacted, timelines or other specific details for each audit.

Compliance Audits

Compliance audits may be one of the easiest to work through. Typically, these audits have clearly defined objectives and criteria for achieving a satisfactory rating. The subjective nature of the audit process is limited by the specifics laid out in the regulations. Compliance audits can be broken down into two categories: regulatory and industry. Regulatory audits are the result of legislation being passed and may carry civil and/or criminal penalties for non-compliance. Industry audits, however, are based on standards of one’s industry. The biggest risk to your organization is that it may lose the ability to be considered certified or to offer a specific product or service, but nobody will rot in federal prison for non-compliance.

Some regulations such as HIPAA are more ambiguous in their requirements and have greater room for interpretation than say the Federal Information Systems Management Act (FISMA). FISMA uses the very literal National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 as its guidelines. It’s important to note that except for FISMA, most of the regulations you may encounter are designed to regulate a business practice. The sections that address data security and privacy are only components to the overarching legislative functions.

Most Common Regulatory Compliance Audits

SOX

In 2005, Section 404 of the Sarbanes Oxley Act (SOX) pretty much turned the business world on its edge. All publicly traded companies had to add a section to their annual SEC filing stating that the company’s executive management personally attest to the financial statements being filed. This also included an attestation that there be a framework in place to manage controls over financial systems, and that the controls were tested and are deemed effective. The fire drills have subsided, however there is now a focused effort on yearly testing for SOX 404 Compliance.

HIPAA/HITECH

The beginnings of HIPAA focused on the ability of health care payers (insurance companies, Medicare/Medicaid) and payees (hospitals, school systems, physicians) being able to share information electronically. Until then there was no standard code for a specific diagnosis, method of care, prescription, etc. Once people started thinking about sharing such sensitive data more easily, an emphasis on information security and privacy was added. Most HIPAA audits are internal and focus on how well you meet the compliance objectives. External audits have become more prevalent as enforcement measures were enacted in 2008. In 2009, additional security and enforcement actions were signed into law under the HITECH Act.

FISMA

FISMA standards are the bane of existence for any IT manager supporting the federal government. The NIST SP800-53 standard is one of the most detailed and stringent standards available. A huge benefit, however, is that SP800-53A Guide for Assessing the Security Controls in Federal Information Systems has been published as well. This is the guide for auditing systems against FISMA. It’s like having the answers to the exams at the beginning of the course.

PCI

Compliance to industry imposed regulations isn’t a new concept. Industry groups have long offered certification for suppliers of goods or services that meet a certain standard. The Payment Card Industry (PCI) Data Security Standard (DSS) is now one of the most prevalent set of requirements IT systems are audited against.

System Discrepancy Audits

System discrepancy audits are sometimes the hardest because they arise out of the fact that things simply don’t add up. If the mismatch isn’t easily detected, a discrepancy audit is called for. Herein lies the problem. Where do you start? Is the problem in the application? Is it the database? Is it in the data collection tool? Was it simply human error? Could all of the data be collected and stored properly but the reporting system be the culprit? Who knows? Hopefully your systems administrators and business analysts can review the details and provide some intelligent hypothesis on where to begin. That’s all it is though…an educated guess. Until you start testing controls and components, you don’t know where you stand. You just hope to catch that loose string that allows you to unravel the tangled mess.

Discrepancy audits usually yield one of two results. The first is that a control was weak and allowed someone to exploit the system, either intentionally or unintentionally. This one is a little easier for executives to understand and deal with. You shore up the process or control to prevent a repeat and move on. The second result is that all controls appear to be effective and working properly, however, the discrepancy still occurred. Wow…what do we do now? This is probably going to point to an inside attack from someone with authorized access. Hang on because the ride has just begun at that point.

Process Audits

Process audits are usually very straight forward. You have a body of standards such as NIST, ISO or your own information security policy that your organization has agreed to adopt and utilize to manage your information security and privacy. On a regular interval, you will need to show evidence that the organization utilizes processes and procedures that are in alignment with this body of standards. If the process audit is in relation to a body of standards there are two phases. The first is to map your process or procedures to the standard controls. The second is to the test the control for efficiency, or how well it works.

If this is simply a process audit there is no need to map these back to any external criteria. The audit will simply be a review of the current effectiveness and efficiency of the control.

Four Reasons to Not Combine Your Audits

Sometimes internal auditors will try to combine audits because they think it will save them time in the fieldwork and reporting process. Auditors are no different than any other profession; everyone looks for efficiencies. However, that approach isn’t advised in this instance for several reasons. First this creates confusion when trying to identify the objectives and outcome for the audit. Without a specific focus, the audit engagement continues to grow in size, time needed to complete, and resources impacted. The larger your audit, the greater the chance the outcomes will not be meaningful.

Second, sometimes inexperienced auditors don’t see how the specific audit relates to your business model. Testing scenarios for compliance may look very different than those for a process improvement. Testing scenarios should be carefully chosen to reflect the focus of the audit. When you combine audits you typically must choose multiple testing scenarios, so you lose the very efficiency you were trying to gain.

Third, reporting becomes a mess when you try to combine the various opinion letters and recommendations. You may have trouble mapping these to regulatory requirements or to remediation plans.

And lastly, you need a “W” in the win column. If all your audits are combined into one big engagement chances are there’s going to be something that you need to improve on. This could cause you a less than satisfactory rating. If this is your only audit for the year, executives will only see your 0-1 record and may begin to judge your competency. If, however, you break things down into smaller chunks you may end up with a 3-1 record, which is a much better reflection of your execution of business objectives.

.

.

.

Download the entire guide by visiting the following link.

IT Manager's Guide to a Successful IT Audit
White Paper: An IT Manager's Guide to a Successful Audit

This white paper provides an overview of the audit process and how IT management can insert themselves into this process to benefit from the exercise.

Download White Paper

Get our blog posts delivered to your inbox: