The Equifax data breach that exposed the information of 143 million Americans should strike fear into the heart of every CIO. The fact that such a breach happened–when a simple software patch could have been applied months earlier–contradicts IT best practices in patch management. Yet every CIO and IT manager knows that software maintenance and patches don’t always happen when they should.

One of the things you can do to improve patch execution is to work with staff to tighten up your practices. But another avenue IT should consider is allocating some of next year’s budget for outside audits. The idea is timely because the time to develop budgets for 2018 is now.

The normal approach to budgeting for IT audits is to fund them at about the levels they were funded the year before. However, given the seriousness of the Equifax breach and the lessons learned from it, I am going to argue that you should consider adding to the audit budget for next year. These extra funds should be used to audit the policies, practices, and execution of software maintenance and patch management.

Network security policy

To protect company data, it’s essential to ensure that your network is secured from unauthorized access, data loss, malware infestations, and security breaches. This must be done via systematic end-to-end controls. This policy will help you create effective security guidelines. Free for Tech Pro Research subscribers.

Getting the most from an audit

There are several key steps that you should take before auditors arrive:

Review your policies and procedures. It is essential that you (or your internal auditor, if you have one) review your existing policies and procedures for software updates, maintenance, patch management, and security before an auditor arrives at your site to begin an engagement. By doing this, you will already have a sense of where you feel you are strong and where you think that an auditor could suggest improvements or best practices for your processes that you haven’t used before.

Talk to your auditor in advance about any concerns. You’ll get the most out of outside audits if you take the time to get acquainted with your auditor before the engagement begins. That way, you can create a cooperative team effort before work starts. Use the opportunity to find out in advance what types of documentation the auditor wants to review, so you can have those documents available and accessible when the auditor arrives. If you think an area requires more policy and procedure development, or more controls, bring it up to the auditor in your pre-engagement phone call or meeting. This gives the auditor a heads up on where you are looking for best practices.

Keep your management and the board informed. Stay in touch with your management and with the board. Tell them what you know and expect by citing those areas of your operation where you feel you are strong and those areas where you feel there could be improved best practices or controls. Also let them know what you’ve asked the auditor to look at. Bringing up these issues directly with management and the board will help you gain their support and their confidence. Then, if the audit does uncover any significant findings, you can share this information with management and make the necessary changes.

The auditor will find something

Your auditor is going to find something, no matter how airtight your operations are. Finding holes and suggesting remedies is what they’re are paid to do. Even if your policies, procedures, and operations are flawless, auditors will still leave you with something–like a list of best practices or considerations you should think about for the future.


Historically, CIOs and IT managers have dreaded (and even feared) outside IT audits–but an alternate perspective is to use these audits as opportunities to proactively tighten up policies, procedures, and operations–in patch management as well as in other IT areas.

If you communicate what you want to accomplish with these audits to upper management, the board, and your staff, everyone is going to feel reassured–even if the audit does reveal a significant finding or a hole in procedures. Holes that are found can be plugged. It’s the best insurance possible for avoiding a security breach that could compromise your company, your customers, your staff, and your career.