The following is provided by John Burton, President of AIV member NPI, a technology management company located in South Burlington. For more information, call (800) 639-6091, or go to www.npi.net.
IT audits are one of many tools to help manage risk and identify areas of your business that are not only open to vulnerabilities but also can be further improved and protected. Consider an IT audit as a litmus test to improve overall accountability. Auditors provide independent and objective statements of key measurements that illuminate business risk to drive mitigation efforts. They are tasked to obtain evidence to examine, probe and challenge. Their report, findings and observations will include important recommendations and action items.
Proof of audit compliance will go a long way when wooing more business.
Typical audits contain three phases: planning, testing and reporting.
Readying for the Audit
The “road map” for typical audits includes examination and evaluation of the key technology controls. The first step is to assemble an audit team that sets the audit goals, defines the purpose of the audit, establishes audit metrics and determines how to validate the test results.
Many business leaders don’t fully understand how auditors work and may be unfamiliar with audit terminology and methods. Some fear that the auditors will be too critical and their report will tarnish the business. To complicate matters, the audit plan timeline may not be convenient to work into busy business schedules. One of the key tasks in the initial planning phase is to get agreement on the preparations, timing and actual conduct of the audit to avoid confusion about roles and responsibilities.
Immediately after receiving notification of an audit:
- Review the audit history and status of work on previous recommendations
- Evaluate the documentation relevant to the scope of the audit for completeness
- Brief the team to be audited and encourage them to discuss their roles in the process
- Request clarification whenever there is doubt or ambiguity in a question, request or statement
- Study the audit schedule and make sure it is understood by the team
- Participate in the initial discussions to ensure that everyone is on the same page with the audit activities
The Testing Phase
An IT auditor will not simply test your systems; their job is to go way beyond a straightforward examination. Be prepared for interviews and in-depth performance evaluations. Facts and dialogues are vital components of any audit and collaboration with the auditor ensures that the final report is a fair representation of the current status. If previous audits raised issues and made recommendations, the next auditors will want to know what has changed. They may choose to re-audit some of the recommended actions. To start off on the right foot, make sure that you have an accurate summary of actions taken along with all documentation.
Incomplete, out of date or unavailable files slow the process and lead to more concerns so thoroughly review the status of your records. To save time, verify that your managers have the necessary information prepared before the interview process begins. Managers and auditors will need to meet periodically to discuss the audit progress along with any issues the audit uncovers.
The evaluation process typically includes:
- physical and logical security
- process documentation and metrics
- controls at various levels (e.g., operating systems, applications, networks, encryption)
- controls to manage data availability, confidentiality and integrity
- application specification, development, testing, security and controls
- reviewing project and change management processes
- resiliency, recovery and other contingency plans
- budgeting, cost control, and organizational structure
- infrastructure and software change control procedures and systems
Most audit reports identify problems, corrective actions and implementation recommendations. The expectation is that the management team will digest and respond to the audit recommendations. They will be given several months to prepare.
Typical audit stages:
Stage 1—Notification stating the purpose of the audit, who will conduct it and the target timing.
Stage 2—Scoping the audit, defining the areas to be covered and including an initial list of documentation to be provided to the auditors.
Stage 3—Fieldwork consisting of interviews, site visits, documentation reviews and tests.
Stage 4—Reporting activities ranging from discussions, a draft report, an auditee comment period and exit conference. Following these steps a final report is issued.
Stage 5—An assessment of the progress made on issues identified in the report.
When audit reports are done correctly, they provide improved oversight and bring a higher degree of certainty into the often uncertain world of business. Businesses that provide evidence of regulatory compliance, show a willingness to update IT controls and demonstrate an understanding of risk management and accountability will establish more trust in the marketplace. Proof of audit compliance will go a long way when wooing more business. So, instead of panicking when faced with an audit, consider it an opportunity to improve your business and win more customers.