IT departments can reduce their audit anxiety by taking four proactive steps. These measures can also enhance an organization's overall security and compliance.
An important part of corporate health and governance is airtight compliance and security that can withstand the most rigorous of threats, and yet a number of companies are still underprepared.
"We continue to see many organizations viewing PCI (Payment Card Industry) compliance as a single annual event, unaware that compliance needs to have a 365-day-a-year focus," said Rodolphe Simonetti, managing director for the PCI practice at Verizon Enterprise Solutions. Simonetti might just have well have been talking about any other type of corporate compliance.
The reality is that IT (which most of these compliance and security audits ultimately falls upon since they concern systems) perceives preparing for compliance as time that could be devoted to other projects that the department regards as more important. Also, IT departments are known to share a certain "gallows humor" about audits — that is, compliance auditors must find at least several things wrong whenever they audit in order to "stay in business."
Consequently, enduring an IT security or compliance audit has all of the appeal of visiting your doctor for an annual physical. Audits are feared and almost always come at inopportune times, but CIOs and other key IT managers learn to live with them. This is what makes Simonetti's observation spot-on.
If IT can find ways to administer systems audit checks in an ongoing process that in turn lessens the impact of an annual visit by an auditor or an examiner, the formal audit review process could become much more seamless and less intimidating. Most importantly, such preventative measures can enhance overall corporate well-being when it comes to security and compliance. Here are four ways to do this while also carrying an IT project load.
1: Focus compliance efforts around a single control point.
In most cases, focusing compliance efforts around one point means appointing someone on the IT staff as the audit "central command person." This person (if your industry is highly regulated) can in turn interface with a corporate regulatory function that exists in the business. Some of the individual's responsibilities would include reading the latest publications and attending regular conferences on changing security and regulatory measures that will affect the enterprise, and scheduling IT work to ensure continued compliance.
2: Plan and budget for regular IT work in compliance every year.
Compliance is continuously changing, so you are going to be working on compliance every year. The organizations that deal best with this reality proactively plan budgets and implement compliance measures when they become known, and not when auditors discover that they are missing.
3: Perform regular audits with internal auditors or an outside team that is distinct from your regulators.
Developing a regular audit schedule for internal system, policy, and procedure checks is a way to make sure that you are ready for auditors and examiners. These dry runs also position you at the forefront of security and governance requirements for your company.
4: Prepare your documentation in a single binder or efile in advance of the visit by your outside audit team and/or industry regulator.
In my early days as a CIO, I thought that neatly placing every policy, procedure, system flow diagram, etc. in one binder or efile for an incoming audit or examiner team was overkill, but I quickly learned that it wasn't. Nobody wants to end up with myriad audit findings that you, the CEO, the board, and the stakeholders all see. While an auditor or examiner is going to let you know where your vulnerabilities are, presenting them with a neatly organized file of your governance, security, and compliance gives them an initial first impression of your company's preparedness, and that can go a long way in their ultimate assessment.
Tell us how you prepare for audits
How does your IT department prepare for compliance and security audits? If it already administers systems audit checks in an ongoing process, are there additional tips you'd add to our list? Post your experiences and feedback in the discussion.