Banking

10 things you can do to make your next IT audit more productive (and less painful)

No one enjoys IT audits. But there are several ways you can optimize their benefits and make them less threatening for your staff.

IT audits strike fear into the hearts of most IT'ers -- but they also ensure that you are meeting the IT safety expectations of your stakeholders and the regulatory requirements of your industry. Here are 10 best practices that can help audits flow smoothly, while delivering lasting benefits that improve IT performance.

1: Maintain an atmosphere of openness with your stakeholders

There is a natural tendency in IT to keep audit activities and findings under wraps as much as possible. This is because audits are intended to find holes in your systems and to identify weaknesses -- and no one likes their oversights exposed.

However, many IT managers find that they are ahead in the game if they approach audits openly with their bosses, boards, and stakeholders by speaking candidly (before auditors arrive). They can discuss areas of IT where they think there might be exposure to security breaches or less than ideal practices and explain how they hope auditors will help identify and prescribe these areas with solutions. Board members usually come from management positions themselves, so they understand the role of auditors. They also understand that auditors stay in business when they find oversights that everyday staff members are likely to miss.

2: Complete open items from prior audits

Never, ever face an audit with open findings from a prior audit that you have not resolved or made acceptable progress on. If you do this, your superiors are going to wonder why these items are still open, and that is not going to reflect well on IT.

3: Select auditors who will provide you with senior people

Before signing on the dotted line with any audit firm, have the firm identify the people who will be assigned to your audit, as well as the person who will have overall responsibility for the audit engagement. Especially if your company is smaller, there is a tendency for some audit firms to place more junior people in these engagements. What you want is a senior person who knows the ropes, has seen many different enterprise environments, and is capable of giving you sound and seasoned advice on how you can improve your operations and your policies.

4: Identify training objectives and best practices for staff ahead of time with auditors

Many IT departments tend to approach IT audits as they would a doctor's exam. They get the auditors started and then they stay in their offices, hoping for the best. But good IT managers get aggressive in audits by performing their own informal assessments of potential weaknesses in advance of an audit and by identifying training and knowledge areas for IT that can be enhanced by what the auditors might know. Some managers even arrange a preliminary conference with their auditors so they can work together on the audit and also on possible training opportunities for IT in particular operational areas.

By approaching audits as opportunities for staff growth as well as for operational corrections, IT (and the company) can derive greater benefits from the dollars spent on audits. Derivative training and educational activities should also be reported to the board and to other stakeholders concurrently with the results of the audit.

5: Compile all needed materials into an organized online folder or physical book before auditors arrive

Audits flow most smoothly when an online directory or even a physical binder containing information the auditors have requested is assembled before the auditors arrive. This minimizes the number of interruptions that auditors will impose on your staff because they need information.

6: Create an isolated area for auditors to work in

No matter how well planned your audit visit is, having auditors in disrupts workflows and distracts staff. It is best to set up an isolated workspace for auditors. This will minimize disruptions and give the auditors a quiet place to do their work. You also want this area segregated from your general operations because you will want only experienced persons (e.g., supervisors, managers, administrators) from your staff answering questions from auditors. Isolating auditors from staff work areas helps facilitate this.

7: Identify the people who are going to work with the auditors

These people should be senior staffers who know how to work with auditors and handle auditors' questions. When companies give auditors the run of the office and there is not a legitimate reason for doing so, junior staff people can prompt audit questions (and billable hours) that wouldn't even have come up if a senior person had been there to explain an operation to an auditor.

8: Help create an advance agenda for your auditors and form a team approach

You should plan to play a leading role in organizing an agenda for an onsite visit from your auditors. It is easy for IT to sit back and just let auditors develop their own agendas. But again, your agenda (and goals) should be not only for the audit, but to capitalize on best practice development and training opportunities for your staff.

9: Open your exit interview with auditors to interested stakeholders

Auditors will generally give you a preliminary edition of their report and findings for your review and comments -- and then a final report that contains any revisions and that addresses your comments. The report is reviewed and discussed in an onsite exit interview. The natural tendency is to keep this meeting as closed as possible. But if you have been dialoguing with your board on audit activity, this can also be an occasion to build trust and confidence by extending an invitation to other managers and board members to attend this meeting.

10: Identify future issues and budget needs

Audits cost money, so be sure they are included in annual budgets. If possible, identify a three-year rolling plan on what your audits and budgetary needs are likely to be.

Reaping the benefits

I do not believe I have ever encountered an IT'er who liked IT audits! But there are proactive approaches to audits that can contribute in positive ways to IT best practices and core competencies, while assuring IT and stakeholders that systems are safe. Active collaboration with your staff, your auditors, and your stakeholders brings this about. The more people understand what IT is trying to accomplish in its system stewardship role, the more trust will grow and anxiety will lessen.

About

Mary E. Shacklett is president of Transworld Data, a technology research and market development firm. Prior to founding the company, Mary was Senior Vice President of Marketing and Technology at TCCU, Inc., a financial services firm; Vice President o...

3 comments
PCTANG
PCTANG

THe points are really good and they work. And these tips not only work for IT, they worked for every required External audits. I would like to share. In my previous role in managing Applications User Security administration for 5 years and another 5 years in construction finance/admin (of millions). I practically, welcomed the audits with open arms. I kept a tiny door opened to engage and seek advices/recommendations/suggestions from the auditors..in situations where they get too 'narrow' in their views on certain aspects of control. However, one thing that auditors were not get too 'pushy' is that , upfront, they should be made to understand the 'Costs' involved in tightening controls (most of the time, coming from segregation of duties, whcih need more staff) Seniors and experieced audit teams are a group of really smart people that I came across. If you are open and really listen to them clearly, you can learn a great deal from their queries/questions whcih most of the time project lots of 'what if' situations/scenarios.. I saw these as 'tips' to add to my next year G&O on improvement process. It helps you as a manager as well as enhancing the required process/procedures for the company many funtions. I would like to share that for those who are thinking of embarking in to 'Security solutions' arena, get connected with the great auditors around and you will have an added advantage when you next have an apportunity to market an Oracle/IBM security product.... Potential clients will see you as a consultatnt with baseline knowledge from the user's perspective......

ycsing
ycsing

Sorry to hear that this happened to you. On the surface, it seems to me that there was an overall lack of due diligence to determine if this vendor was really needed. At best, this is a sign of weakness in your district's vendor management process. At worst, this is the result of a behind-the-scenes backscratching/kickback situation. I'd be curious to know if there is a broader vendor management policy in your school district. Most issues found by auditors during a review of IT are the result of breakdowns in people and/or process that have very little to do with the technology itself.

techrepublic
techrepublic

Some background; I had a weekly contract IT role as a sole support person at a school. I had asked several times over the years for the management to create a road map of where we were heading. I made great sacrifices, personally, to ensure the successful (though long time coming) implementation of new server hardware and software. Unfortunately both hardware and software had faults, which although supported by the manufacturer, took 2 years (part time) to resolve. In addition another IT implementation was just dropped in my lap, and this also was eventually replaced after almost a year of wasted visits. Last year the school took advantage of a "free IT audit" conducted by a larger firm. I welcomed the audit, as it finally showed an interest in IT by the management. I was however suspicious of the "free" aspect of it and suggested to the school chairman that it must be a marketing exercise. He guardedly acknowledged that was likely. Six months later, it now appears the "free IT audit" was not as advertised, as the school has given the contract to that same firm. No prior audit. No performance reviews. No interest in IT taken up to this point. No peer review done of the report the board received. No IT expertise on the board. No alternative quotes. The report was not showed to me and details were not discussed. A "benefit" apparently is that the new firm does their own audits. Pardon. Is this insane. Worse. The new system provides nothing that the old system did not have available and ready to implement, if only some discussions had been forthcoming. The old system was running at 2-4% utilisation and was poised to handle wikis, blogs, webmail, student accounts, and various media services. The new system still relies on the backbone of the old system for the directory services and the DNS services, so has merely taken the file services and little else to another box. Cooling for the IT room had been requested, with dire consequences outlined for almost 5 years with little in the way of a serious response, however this has all happened instantly with the new contract. The audit was performed very much at a critical mid-stream time when new services were going live and fine tuning was about to be done. Backup was 4 weeks from go live, and was automated and merely awaiting decisions and discussion before being rolled out on a larger scale. Hardware was all in place, unless a remote backup was required. Staff were still coming to grips with the changes. After incredible self sacrifice the entire system was reaching the pinnacle of organisation with a single software image for laptops, more ubiquitous WiFi access, student areas for receiving and handing in work, access remotely to mail, VPN, etc, remote management if desired, automated backup, robust virus and spam control, etc, etc. As I said poised for finally getting all the goodies, now that the hardware, operating system, directory, network services and all the foundation work was reliably implemented. So reliably, in fact, that it ran with no human intervention for 94 days before the new contractor started making changes. Schools are tasked with managing public money for the betterment of student outcomes. This was a passion of mine - to implement the best possible service from the available equipment - even against the odds and utilising a fair amount of my own time. In this instance the only person to benefit has been the Principal, who does not have to make IT decisions any more, as they are all contracted out. The facilities to students are ostensibly the same, but rehashed - in some cases causing difficulty and unfamiliarity. They are a national boilerplate template rather than suiting the temperament and experience of the school's own teachers and students. The school board and Principal have broken school policy, national administrative guidelines, common decency as espoused in their school special character charter, misled and been misled themselves. So the lesson is this - beware of what is an audit and what is a quote for services. Define the potential outcomes and get an agreement in writing to see the full audit report before agreeing to cooperate or provide auditors with a login to the system. If you are a contractor and your direct manager is clueless about IT matters then urgently present a case for more involvement with the next level up. If this level too is clueless, then seek to obtain your own independent audit or performance review. Otherwise you may find that another firm sees the the naivety of experience in an approach to them, gets you yourself to highlight all the areas of concern, and then presents that as a secretive report against your services and touting for them to take away your contract. Although people say, "May the best man win", it does not come down to that in the end!

Editor's Picks