Audits typically produce much anxiety and dread, but IT audits can be even more nerve-racking. Why?
For one, personnel who most likely are already stretched too thin may be asked to work overtime to satisfy audit requests that seem to come out of the blue.
IT can plan and be better prepared for future audits by analyzing and understanding what information auditors may seek. A good audit preparation plan is updated continuously and can make an audit a nonevent (perhaps even an enjoyable one), versus one that puts IT staff members through the wringer.
Audits are a fact of life for IT organizations. Burying your head in the sand in the hope that auditors can’t or won’t see all of the facts is not an effective strategy for audit preparation. The best way to prepare is to figure out in advance just what information auditors will be looking for, and have that information readily available to present, if or when they ask.
Discern in advance what type of information your team will be asked to produce by studying the audit lifecycle process used by auditors, as well as the information requests and findings from previous IT audits. Most internal auditors have a well-defined lifecycle that guides the audit process. Studying the typical audit lifecycle followed by most auditors is akin to getting a look inside the other team’s audit playbook: It’s clear what to expect, and when.
There are probably no surprises in the checklist included here, but it is helpful to consider the broader view of the auditor’s approach to his or her job. Of particular interest during audit planning are the audit requirements and the findings and action plans from past audits.
Reviewing this information likely will reveal 90 percent of the requirements that will be in the next audit, along with the deficiencies that should be addressed before the next audit begins. Keep in mind that audits and action plans identify risks and mitigation strategies for senior managers. Developing an audit preparation plan will mitigate risk for departments in future audits.
The Audit Coordinator’s Lifecycle
Audit coordinators should develop their own audit preparation lifecycle that addresses potential requests and requirements based on previous audits.
An auditor may have asked to review a department’s software asset management (SAM) reports during a previous audit, in order to verify that all licenses are up to date and no users are running unlicensed or unapproved software. Part of the audit plan, then, should include a monthly review of those same reports.
Verify that the SAM reports are complete and all software is fully licensed. If auditors previously asked for access-control lists for every server, run those same reports on a regular basis, and keep that information in the plan.
Every company and IT organization is different, but there are some good starting points for developing any departmental audit plan:
- Review past audits for the target department (and similar departments) to build a list of potential requirements.
- Review past findings to determine any issues that were identified previously. Expect scrutiny in those areas during the next audit.
- Review past action reports for any risk mitigation strategies that were proposed. Verify what remedial activities took place, and that they were successful.
- Build a plan that includes any specific actions to be taken as a result of past findings and action plans.
- Update the audit preparation plan on a regular basis; minimally, an update should accompany the rollout of any new applications or IT assets.
- Distribute the audit preparation plan to IT management every six months, and request feedback. More experienced, impartial eyes may catch issues with the plan that may be missed by those involved with developing and maintaining the plan.
- Once an audit is scheduled, put the audit plan into effect and be sure to make the auditor’s job as easy as possible.
- When the audit is complete, go back to Step 1 and use the latest requirements and findings to refine the audit preparation plan for the next audit.
An organized and disciplined approach to audit preparation will result eventually in easier and more effective audits. Knowing what to expect, verifying that auditable information and processes are reviewed regularly, and using past results to better prepare for future audits are the best ways to minimize the disruption they cause.
Above all, audits should offer valuable insight to all company leadership when the time comes for strategic decision-making.