Sep 02 2014
Management

How to Prosper Through Your Next IT Audit

Legwork and readiness can turn an IT audit from dreaded to effective.
Earl Follis
by

Earl Follis is a longtime IT professional who has worked as a technical trainer and network administrator.

Audits typically produce much anxiety and dread, but IT audits can be even more nerve-racking. Why?

For one, personnel who most likely are already stretched too thin may be asked to work overtime to satisfy audit requests that seem to come out of the blue.

IT can plan and be better prepared for future audits by analyzing and understanding what information auditors may seek. A good audit preparation plan is updated continuously and can make an audit a nonevent (perhaps even an enjoyable one), versus one that puts IT staff members through the wringer.

Audit Prep

Audits are a fact of life for IT organizations. Burying your head in the sand in the hope that auditors can’t or won’t see all of the facts is not an effective strategy for audit preparation. The best way to prepare is to figure out in advance just what information auditors will be looking for, and have that information readily available to present, if or when they ask.

Discern in advance what type of information your team will be asked to produce by studying the audit lifecycle process used by auditors, as well as the information requests and findings from previous IT audits. Most internal auditors have a well-defined lifecycle that guides the audit process. Studying the typical audit lifecycle followed by most auditors is akin to getting a look inside the other team’s audit playbook: It’s clear what to expect, and when.

There are probably no surprises in the checklist included here, but it is helpful to consider the broader view of the auditor’s approach to his or her job. Of particular interest during audit planning are the audit requirements and the findings and action plans from past audits.

Reviewing this information likely will reveal 90 percent of the requirements that will be in the next audit, along with the deficiencies that should be addressed before the next audit begins. Keep in mind that audits and action plans identify risks and mitigation strategies for senior managers. Developing an audit preparation plan will mitigate risk for departments in future audits.

The Audit Coordinator’s Lifecycle

Audit coordinators should develop their own audit preparation lifecycle that addresses potential requests and requirements based on previous audits.

An auditor may have asked to review a department’s software asset management (SAM) reports during a previous audit, in order to verify that all licenses are up to date and no users are running unlicensed or unapproved software. Part of the audit plan, then, should include a monthly review of those same reports.

Verify that the SAM reports are complete and all software is fully licensed. If auditors previously asked for access-control lists for every server, run those same reports on a regular basis, and keep that information in the plan.

Every company and IT organization is different, but there are some good starting points for developing any departmental audit plan:

  1. Review past audits for the target department (and similar departments) to build a list of potential requirements.
     
  2. Review past findings to determine any issues that were identified previously. Expect scrutiny in those areas during the next audit.
     
  3. Review past action reports for any risk mitigation strategies that were proposed. Verify what remedial activities took place, and that they were successful.
     
  4. Build a plan that includes any specific actions to be taken as a result of past findings and action plans.
     
  5. Update the audit preparation plan on a regular basis; minimally, an update should accompany the rollout of any new applications or IT assets.
     
  6. Distribute the audit preparation plan to IT management every six months, and request feedback. More experienced, impartial eyes may catch issues with the plan that may be missed by those involved with developing and maintaining the plan.
     
  7. Once an audit is scheduled, put the audit plan into effect and be sure to make the auditor’s job as easy as possible.
     
  8. When the audit is complete, go back to Step 1 and use the latest requirements and findings to refine the audit preparation plan for the next audit.

An organized and disciplined approach to audit preparation will result eventually in easier and more effective audits. Knowing what to expect, verifying that auditable information and processes are reviewed regularly, and using past results to better prepare for future audits are the best ways to minimize the disruption they cause.

Above all, audits should offer valuable insight to all company leadership when the time comes for strategic decision-making.

IT Audit Do’s and Don’ts

Do:

  • Remember that an auditor isn’t the person who orders the audit. Senior company leaders initiate most internal audits as a means of gaining mission-critical information and data.

  • Approach an audit as an opportunity to learn more about the audit process and how your team can be better prepared for the next audit.

  • Use the audit to communicate directly to senior management any IT resource or process concerns.

  • Budget accordingly for an audit, whether or not one is scheduled. Audits can happen at any time, so be prepared.

Don’t:

  • Consider an audit to be an adversarial situation. IT professionals and internal auditors are partners on the same corporate team.

  • Try to hide or minimize any bad news revealed during an audit. The truth will come out, regardless.

  • Allow scope-creep. If or when out-of-scope concerns are raised during an audit, it is important to adhere to the original audit scope, then notify management that additional audits will be required to address any out-of-scope concerns raised.

George Diebold Photography

More On

Related Articles

Close

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT

Subscribe Now