No one enjoys IT audits. But there are several ways you can optimize their benefits and make them less threatening for your staff.
IT audits strike fear into the hearts of most IT'ers -- but they also ensure that you are meeting the IT safety expectations of your stakeholders and the regulatory requirements of your industry. Here are 10 best practices that can help audits flow smoothly, while delivering lasting benefits that improve IT performance.
1: Maintain an atmosphere of openness with your stakeholders
There is a natural tendency in IT to keep audit activities and findings under wraps as much as possible. This is because audits are intended to find holes in your systems and to identify weaknesses -- and no one likes their oversights exposed.
However, many IT managers find that they are ahead in the game if they approach audits openly with their bosses, boards, and stakeholders by speaking candidly (before auditors arrive). They can discuss areas of IT where they think there might be exposure to security breaches or less than ideal practices and explain how they hope auditors will help identify and prescribe these areas with solutions. Board members usually come from management positions themselves, so they understand the role of auditors. They also understand that auditors stay in business when they find oversights that everyday staff members are likely to miss.
2: Complete open items from prior audits
Never, ever face an audit with open findings from a prior audit that you have not resolved or made acceptable progress on. If you do this, your superiors are going to wonder why these items are still open, and that is not going to reflect well on IT.
3: Select auditors who will provide you with senior people
Before signing on the dotted line with any audit firm, have the firm identify the people who will be assigned to your audit, as well as the person who will have overall responsibility for the audit engagement. Especially if your company is smaller, there is a tendency for some audit firms to place more junior people in these engagements. What you want is a senior person who knows the ropes, has seen many different enterprise environments, and is capable of giving you sound and seasoned advice on how you can improve your operations and your policies.
4: Identify training objectives and best practices for staff ahead of time with auditors
Many IT departments tend to approach IT audits as they would a doctor's exam. They get the auditors started and then they stay in their offices, hoping for the best. But good IT managers get aggressive in audits by performing their own informal assessments of potential weaknesses in advance of an audit and by identifying training and knowledge areas for IT that can be enhanced by what the auditors might know. Some managers even arrange a preliminary conference with their auditors so they can work together on the audit and also on possible training opportunities for IT in particular operational areas.
By approaching audits as opportunities for staff growth as well as for operational corrections, IT (and the company) can derive greater benefits from the dollars spent on audits. Derivative training and educational activities should also be reported to the board and to other stakeholders concurrently with the results of the audit.
5: Compile all needed materials into an organized online folder or physical book before auditors arrive
Audits flow most smoothly when an online directory or even a physical binder containing information the auditors have requested is assembled before the auditors arrive. This minimizes the number of interruptions that auditors will impose on your staff because they need information.
6: Create an isolated area for auditors to work in
No matter how well planned your audit visit is, having auditors in disrupts workflows and distracts staff. It is best to set up an isolated workspace for auditors. This will minimize disruptions and give the auditors a quiet place to do their work. You also want this area segregated from your general operations because you will want only experienced persons (e.g., supervisors, managers, administrators) from your staff answering questions from auditors. Isolating auditors from staff work areas helps facilitate this.
7: Identify the people who are going to work with the auditors
These people should be senior staffers who know how to work with auditors and handle auditors' questions. When companies give auditors the run of the office and there is not a legitimate reason for doing so, junior staff people can prompt audit questions (and billable hours) that wouldn't even have come up if a senior person had been there to explain an operation to an auditor.
8: Help create an advance agenda for your auditors and form a team approach
You should plan to play a leading role in organizing an agenda for an onsite visit from your auditors. It is easy for IT to sit back and just let auditors develop their own agendas. But again, your agenda (and goals) should be not only for the audit, but to capitalize on best practice development and training opportunities for your staff.
9: Open your exit interview with auditors to interested stakeholders
Auditors will generally give you a preliminary edition of their report and findings for your review and comments -- and then a final report that contains any revisions and that addresses your comments. The report is reviewed and discussed in an onsite exit interview. The natural tendency is to keep this meeting as closed as possible. But if you have been dialoguing with your board on audit activity, this can also be an occasion to build trust and confidence by extending an invitation to other managers and board members to attend this meeting.
10: Identify future issues and budget needs
Audits cost money, so be sure they are included in annual budgets. If possible, identify a three-year rolling plan on what your audits and budgetary needs are likely to be.
Reaping the benefits
I do not believe I have ever encountered an IT'er who liked IT audits! But there are proactive approaches to audits that can contribute in positive ways to IT best practices and core competencies, while assuring IT and stakeholders that systems are safe. Active collaboration with your staff, your auditors, and your stakeholders brings this about. The more people understand what IT is trying to accomplish in its system stewardship role, the more trust will grow and anxiety will lessen.