For many people, IT audits are like dental checkups writ large: you think you’ve practiced good dental hygiene, but they can tell if you haven’t flossed every day since last year.
Like with most stressful encounters in life, you can prepare in advance to make audits less intimidating, improve your chances of passing them, and most importantly, enhance compliance and security.
The Mindset: Think Like an Auditor
You and your IT team should try to think like an auditor. Be aware of compliance requirements, risk analysis, and consequences of falling short. If you’ve been through an audit before, you have some idea what to expect, but no two audits are alike.
If you’re facing, for example, a PCI DSS audit, you have to take a hard look at your organization’s adherence to PCI and immediately start any obvious remediation steps so you can fix as many deficiencies as possible before auditors arrive.
Appoint an Audit Team and Team Coordinator
Having a central point of contact and an audit team to support him or her helps ensure everyone knows what’s required, and what steps everyone is taking to ensure a successful audit. The point person’s responsibilities may include reading the latest documentation about applicable regulations and coordinating activities of the audit team members.
For most third-party audits, your team should include representatives from key departments, your IT security leads, and possibly one or more designated “internal monitors” for audit drills. Choose people with relevant experience, whom you can trust to investigate issues and report back promptly. The Verizon 2014 PCI Compliance Report identifies the following most common pain points for PCI audits, and they apply to other types of audits as well:
• Security testing
• Security monitoring
• Detection of and response to compromised data
• Protection of stored sensitive data
Gather and Organize Documentation
Documentation should clearly explain how your IT infrastructure interacts, and will make the auditor’s job easier. By providing a logically organized binder of information for audits, you make it easier for auditors to find the information they need.
You’ll need to provide documentation of all your vital systems, including policies, procedures, and system flow diagrams. If your organization uses an automated change auditing solution, providing change logs can be helpful too, because they show positive, proactive changes your organization has made. Providing auditors with a neatly organized binder showing your security, governance, and compliance efforts also makes a positive impression.
Relax: they’ll probably bring their own red pens.
Dealing Directly With Auditors
If possible, your point person should schedule a brief meeting with auditors beforehand to learn about the audit process and help define the time commitment and resources necessary to devote to the audit. Good initial questions for auditors may include:
• What type of audit is scheduled?
• What is the auditors’ methodology?
• Which systems will be examined?
• How long is the audit expected to take?
• What support will auditors need (such as workspace, access to a fax machine, etc.)?
When auditors arrive, have a brief presentation ready describing your systems, giving an overview of applications and processes, and placing your IT infrastructure into context. For security audits, give an overview of major security procedures for each system. Make sure all of this is backed up by the documentation you provide the auditors.
Follow-Up After an Audit
Having a quick wrap-up meeting immediately after the audit is advisable. Here you can request draft copies of reports so you can review them for accuracy. Most auditors allow this, and may offer a conference call to go over preliminary findings.
Once you learn whether you passed an audit, respond as quickly as is practical. Some audit reports include a section where you can respond to findings or rebut conclusions. You can use this as an opportunity to inform auditors what you are doing to correct deficiencies.
Make Compliance a Year-Round Focus
After an audit, your audit team should develop a plan to address deficiencies or recommendations. If this was your first audit, consider it a “benchmark” from which auditors will measure improvement next time. It may take time to address remediation needs, but even if you can’t address everything before the next audit, document every step you are taking to show that you are making improvements. Look at audit compliance as a year-round process and you’ll make future audits easier.
Your IT service management solution can help you create a strong foundation for audit compliance. With comprehensive IT asset management like that provided by Samanage, you can manage licenses, subscriptions, and every device that connects to your system, and create up-to-the-minute reports easily. And Samanage‘s built-in change management capability lets you implement any post-audit changes in a logical and streamlined manner.