Effectively Working with IT Auditors

The April edition of my “IT Compliance in Realtime” e-journal is now available!
There are three papers within this month’s issue. The first is, “Effectively Working with IT Auditors.”
Communicating well with your IT auditors will help ensure that your audit goes smoothly and provides as much value as possible for your business. within this article I explain what to ask for before, during, and after your audit.
Downlowd the PDF version of the e-journal to not only get the nicest looking version of the article, along with much information in tables and additional short items I included within sidebar boxes throughout the article, but also to get all three of the articles I wrote for this month.
The following is an unformatted version of “Effectively Working with IT Auditors”…

Remember, IT Auditors Are People Too…
I was an IT auditor for a couple of years, after being a teacher, then a systems analyst and architect. I am so glad I had the experience of teaching and being an active IT practitioner before being an auditor. It gave me the background and knowledge that really enhanced my ability to perform IT audits with an understanding of not only the business but also what is, and is not, possible within computer applications and systems. In addition, I learned how to communicate as effectively as possible with those whose applications and systems are being audited.
However, it is important for IT and information security practitioners to know that large numbers of IT auditors do not have an IT practitioner background.
Many join the IT audit profession fresh out of college, often with a degree in accounting or management information systems (MIS). They rely upon the training they received from their IT audit area, mentors, and audit-specific training sessions to do the audit. This often results in what many practitioners grumpily refer to as being subjected to an IT audit “checklist.”
I have also heard many complain that they don’t see the sense of having someone outside their areas perform audits on their applications and systems; they don’t think an outsider knows enough about technology to do a fair audit. This may be the case in some situations, but it is important to understand the valuable role of the IT auditor in helping to ensure applications and systems have appropriate and sufficient safeguards and controls implemented. Although many IT auditors may not have hands-on experience within the IT area, most are very detail-oriented and hold themselves, and other auditors, to a high ethical standard in performing their audits. They are also only human, so give them some slack if you think they are asking irrelevant questions or stepping on your toes; remember, you are the subject matter expert (SME) for the applications and systems they are auditing, but they are the experts in providing an objective, highly structured, in-depth audit.
Why Do We Need IT Auditors?
If you went to a used car lot, what would you trust more: the sales person that proclaims, “This car is in excellent shape! I personally inspected it from bumper to bumper!” or the sales person who says, “I can provide the phone number of the independent Better Business Bureau-approved inspector who looked this car over so that you can ask her directly what kind of mechanical shape this car is in.” Most prudent people would choose the BBB-approved inspector. Why? Because the BBB inspector, as an independent entity with nothing to gain or lose by the sale of the car, will provide a more objective and accurate review of the car. We also need this same type of independence and objectivity from the folks who inspect our applications and systems to make sure they are appropriately secure.
Quite generally, the role of IT auditors is to objectively evaluate IT systems, applications, and associated practices and operations to ensure the integrity, business availability, and appropriate preservation of confidentiality of an organization’s information and the systems upon which they depend. There are many types of IT audits with scopes ranging from very narrow to so wide it goes beyond the boundaries of the organization. However, the audits typically involve one or both of the following:

  • Performing an assessment of the internal controls of the IT application, system, and environment to ensure the security, integrity, and reliability of the associated information.
  • Performing an assessment of the economic effectiveness and efficiency of the IT application, system, and environment.

IT auditor independence is critical to add value to the business. The resulting audit report must be free from influence and bias in order to have value and be recognized as contributing to the business goals and objectives. What value would an audit provide to business if the auditor basically just wrote within the report what the business HOPED was true with regard to applications and systems security and compliance?
If this is not enough of an argument for you, then consider the Sarbanes-Oxley Act of 2002 (SOX). It requires auditors to have independence by prohibiting the firms that organizations hire to do the audits from simultaneously providing to them non-audit services, such as financial systems and applications design and implementation. Requiring independence of auditors helps to prevent the auditors from being in cahoots with the area being audited, which could lead not only to poor controls but also to fraud and other cyber crimes.
Auditors Have Goals Similar to Information Security and Privacy Practitioners
IT auditors have goals similar to IT and information security practitioners, as Table 1 shows.
[See the table within the PDF]
There are many more, and I could continue this list for a few more pages. As the items in Table 1 demonstrate, although the goals are similar, the responsibilities are quite different.
[Sidebar info here; see PDF]
The primary concern of IT auditors is to independently confirm that adequate controls are in place to safeguard the business’ information assets as well as to meet compliance with applicable laws, regulations, and contractual requirements.
Know What to Ask For
To help ensure your audit goes smoothly and provides as much value as possible not only to your area but also to the business, it is important to communicate well with the IT auditors. To help ensure your audit is accurate and disrupts your personnel and their daily work responsibilities as little as possible, be sure to gather some specific information from the IT audit manager for the planned audit as follows.
Before the Audit

  • Obtain the names, titles, and contact information for each member of the audit team. It will be helpful for you to know the role for each, along with each of their assignments.
  • Ask for the amount of information security and IT experience for each audit team member. It will be particularly helpful for you to ask which certifications–such as CISA, CISSP, CCNA, MCSE, and so on–they have.
  • Schedule some time to give the audit team members an orientation or primer about your area, your responsibilities, and the systems and/or applications they will be auditing to ensure they have sufficient background to make informed and valid findings and recommendations.
  • Schedule some time with the personnel in your area who will, or may, be asked to help provide information for the audit. Explain the purpose of the audit, the backgrounds of the audit team members, and where they may need extra help with understanding certain concepts or aspects of the applications or systems being audited. Let your personnel know that the audit is not a witch hunt for wrong-doers but is a sincere attempt to find ways in which the controls in the applications and systems being reviewed are vulnerable and ways in which controls can be improved to help the business.
  • If your area, applications, and/or systems have been audited before, ask to see the previous audit reports. Read through the findings and recommendations to see what changes were made as a result. Note how your applications, systems, and area responsibilities are now different from when it was last audited. IT auditors often depend heavily upon a prior audit report to plan for their next audits, so it will be important for you to fill them in on how things have changed.
  • If possible, establish a desk or work area where the IT auditors can park themselves while they are in your area interviewing personnel and reviewing documentation. This will prevent them from needlessly schlepping important documentation back to their own area and desk, creating the possibility of loss or inappropriate access by others. Remember, IT auditors are only human, and they, too, can put confidential information at risk if you do not prepare a secure location for them to store it securely during the audit.

During the Audit

  • Ask for the IT audit manager’s document that explains the purpose, scope, and objectives of the audit. This will help you and your personnel to more effectively answer any questions the auditors have, and provide documentation to them that they may not know to ask you for but will contribute to the goals of the audit.
  • Confirm that the list of audit team members you got prior to the audit still consists of the same folks who are performing the audit. It is not unusual to have IT auditors switched to other audits right before an audit starts based upon their experience, credentials, time availability, and other factors.
  • Ask for a timeline for milestones within the audit, including tasks that will require and take time from your personnel.
  • Determine whether the audit team members will need access to the applications and/or systems and for how much time this access should last. IT auditors seldom have a valid need to maintain access to applications, systems, audit logs, and other network resources following the conclusion of an audit.
  • Communicate all access and time requirements to your personnel so that they can plan accordingly and not be perturbed when auditors want to speak with them when they had other work activities planned.
  • Schedule weekly or bi-weekly meetings with the IT audit manager, or the audit team, to discuss audit progress and any issues that they have uncovered or any questions they might have. It is much better to nip concerns in the bud right away than to be surprised by the final audit report.
  • Request to schedule an exit conference with the IT audit manager or team for the end of the audit.
  • Request copies of the preliminary and final audit reports. Be sure you have the opportunity to provide feedback on the preliminary audit report to make sure it is as accurate as possible. Remember that the IT auditors are not experts in your specific area of responsibility, so it is not uncommon for them to get some facts wrong based upon information they have read in audit manuals, within conference proceedings, or from other sources. It helps the credibility and reliability of both your area and the IT audit area to have the report as accurate as possible.

After the Audit

  • Schedule a time to go over the audit report with your team. Since they have contributed information to the audit that impacts the findings and recommendations, they will want to read the report and they should be given that consideration. If everyone communicated well, as described in the previous steps, there should be no surprises. If there are surprises, they will indicate a communication breakdown or some other problem.
  • If you or your team disagrees with the report, or any of the findings, then put it in writing. If it is unrealistic or infeasible to implement any of the recommendations, put it in writing. You must document your opinions as the SMEs for the audit topic as well as provide evidence to validate your statements. Likewise, indicate the corrective actions and corresponding timelines that your area will take for the findings and recommendations that you believe are correct.

[Sidebar info here; see PDF]

  • Assign your team the responsibility for providing you with an audit findings resolution status report every 3 to 6 months. After you review it for accuracy and make any necessary clarifications or corrections, send it on to the IT audit area so that they will know where you are at with addressing the vulnerabilities detailed in their report. This will also demonstrate your cooperation and that you value their work. Being proactive in this way will make future audits go that much more smoothly.

…………….The End………….
Let me know what you think!

Tags: , , , , , , , ,

Leave a Reply