Last time we talked about how to prepare for an audit. In this installment we’ll cover what to do once the audit begins. Let’s assume that you’re pretty well prepared. You’ve done your homework and know pretty much what to expect. So, everything’s good, right? Well, even though you’ve taken the time to prepare, you could be in for some surprises. The keys to surviving an IT audit are pretty simple:
- Be truthful
- Be brief and succinct
- Let the auditor do the work
Do not ever lie, “color the truth”, or leave out pertinent information. Your job is not to fool the auditor. Respond to all auditor requests with the most accurate information you can provide. As much as you can, talk with the auditor(s) to better understand the nature and scope of any request. If they ask for “all of your perimeter firewall logs,” you need to get a more specific request. Find out which devices are included in the request. Also, ask what range of dates and times should be included? Continuing in this line of questioning, what specific information should the log file report contain? Asking such questions will help you in three important ways. First, defining the scope of the request can reduce your effort. A good log management system, such as *Logentries, *can help you create requests for log file output and only provide information that the auditor requests. Second, defining exactly what the auditor wants can help you avoid providing incorrect or insufficient information. When you don’t really understand what the auditor wants you could even appear as though you’re hiding something. And finally, narrowing the scope of your log file output request keeps you from providing too much information, which leads into our next point.
Be Brief and Succinct
Being truthful doesn’t mean providing each and every detail that may somehow be related. Providing too much information could actually raise red flags if the auditor reviews information outside the scope of the audit. Keep your answers and any evidence that you provide focused on the auditor questions. Don’t elaborate. If your auditor wants more information, there will be follow up questions.
Let the Auditor Do the Work
Answer all questions and provide all requested evidence. But, don’t go beyond that. Your job is to support the audit – not conduct it. Providing commentary on the evidence you provide has at least a couple drawbacks. First, you could actually weaken the strength of your evidence if you attempt to apologize for its quality and explain its state. Let the evidence stand on its own. Second, extraneous commentary could alert auditors of control issues beyond the scope of their current investigation. Again, let the auditors conduct the audit.
When you start an audit, especially with new auditors, you will be dealing with new resources. In most cases, auditors are similar to new employees. They will need to follow specific onboarding procedures. New auditors will not be familiar with your processes, controls of your technology. You may be asked to provide some information on how new resources interact with your network. You’ll need to provide the necessary access and training early on. Be ready to provide this input. And also be ready to remove auditor role access to your network and resources when the audit is over.
While we’re talking about role onboarding and termination, be ready to provide and explain your normal procedures to the auditors. You should be able to provide documentation of procedures that show how you handle new employees, role changes, and termination. Most auditors will look for stale userids as “low hanging fruit”. Make sure you don’t leave that door open for them.
The best way to survive an IT audit is to be prepared. But even with good preparation, you can make an audit more difficult if you ignore the guidelines above. Always tell the truth, don’t overdo it, and don’t try to be the auditor. Follow these three simple tips and you’ll find that most audits aren’t really all that bad.