Certified Information Systems Auditor Terri Rogers offers six pointers for a painless examination cycle with your IT auditors and examiners. For most business leaders and stakeholders, meeting with an auditor is an unwelcome—and unpleasant—experience. These leaders and stakeholders tend to consider information security and its related audits and examinations as an obstacle for their organization, one that incurs additional expenses and headaches. In many cases, fear of the IT auditor has prompted organizations to adopt a “security-by-compliance” approach that focuses mitigation on satisfying the auditor rather than on the end goal—systems security.
Auditors may not have the best rap in the banking industry, but it’s important to remember that in actuality, IT audits and examinations are designed to be consultative. In turn, auditors are advisors offering consultation that can help reduce information security risk and improve security posture. Thus, mitigating security risks in your internal IT systems can create a competitive advantage for your organization in the marketplace, and secure systems help to prevent devastating attacks.
The key to a painless IT audit begins with building a collaborative relationship with your IT auditor. Remember that he or she is there to serve as an advisor, and you can begin to ease the pain of your audit cycles and derive business benefits beyond compliancy.
Keep in mind these six pointers at the next meeting with your IT auditor for a painless, positive examination:
1. Evaluate the information security risk associated with your infrastructure at least once a year. Document your evaluation results and mitigate high-risk areas. This will give your IT auditor a focal point for his or her audit that will reduce the scope and time to complete the examination cycle.
2. Generate evidence of adequate and reasonable information security risk mitigation. Risk mitigation safeguards are policies, procedures and controls that are enforced, internalized and operating effectively. This evidence should stem from daily operational activities.
3. Respond promptly and thoroughly to evidence requested prior to the IT auditor’s site visit. Access to a complete set of evidence will decrease the need for additional interviews and testing.
4. Since IT examination cycles help to reduce information security risk and improve security posture, present an accommodating and cooperative environment during site visits. This demonstrates that your organization has a risk-conscious and security-aware culture that is supportive of your IT auditor’s consultations.
5. Be open with the IT auditor regarding known information security high-risk areas and compliance gaps, and have plans for remediation. This can provide assurance that your organization is continuously improving its information security posture.
6. Reach out to your IT auditor between examination cycles with any questions or concerns to foster a solid relationship—a positive, working relationship with your IT auditor can go a long way during a tough audit.
Terri Rogers is a Certified Information Systems Auditor (CISA) for NetStandard. Rogers has more than 10 years of experience in performing information security risk assessments,information systems control audits and disaster recovery planning for the financial services, manufacturing and healthcare industries. Rogers is also an active member of the Information System Audit and Control Association (ISACA).