Like it or not, everyone has to budget for and perform regular IT audits. But there are still some creative ways to get the most out of your IT audit spend. Here are 10 ways to go about it
1: Tighten up your policies and procedures with best practices
Audit firms work with thousands of companies, and they stay abreast of new regulations and compliance requirements. In many cases, these firms develop templates of policies and procedures that they are willing to share when you engage them. This can simplify your own policy and procedure development since you have a generic "best practice" template from your auditor to get you started.
2: Improve your informal audit capabilities
If you're hoping to improve your own internal audit capabilities, a good place to start is to have the persons on your staff who will be charged with performing those audits work directly with your audit firm when it is onsite. This is an excellent way for your staff to gain training and knowledge of best practices.
3: Learn about new security threats and technologies
Your outside audit firm will be well versed in new and upcoming security threats, as well as how to prepare for them. Spending some time with them on these looming issues can be invaluable.
4: Share audit expenses with other small companies
Audits are expensive, especially if you're a small company. One way to reduce expenses is to team with other small companies that are in the same situation to see if you can collectively get a package deal with a price discount from an audit firm in exchange for engagements spanning multiple companies.
5: Plug audit recommendations into your vendor SLA reviews and negotiations
Few companies take the time to update SLAs with their vendors based upon changing technology and industry trends. The best SLA strategy is to review your SLAs annually with key vendors and to update SLAs where needed. Your auditors are an excellent source of input into this process because they see many different companies and vendors.
6: Leverage audit recommendations to achieve regular reviews of data retention and access compliance
Revisiting data retention and access policies on an annual basis is one of the hardest things for IT to accomplish with end users. The principal reason is that people are always busy, and reviewing how long information is stored or who accesses it is not a high priority for most. However, if you ask your auditors to look at data retention/access and make a recommendation that this exercise should be conducted at least annually, which they will do, you'll get visibility of the need for review in a finished audit report that goes to your board and upper management.
7: Identify dormant pools of data, reports, and systems
Because IT audits investigate data storage and control points, an audit is the perfect place to identify pools of data or IT resources like reports or systems that are becoming dormant and/or unused. This is an opportunity to recommend de-implementing these assets based on audit report findings.
8: Audit field offices
It's tougher to keep field office data and security practices in compliance than it is at headquarters, since these offices are removed from central control mechanisms. As part of your audit, you will want to include audits of several of these outlying offices to ensure that you are doing as well in the field with managing your IT as you are at headquarters.
9: Invite your auditors to report to the board on your audit and on general security trends
It can be nerve wracking to invite auditors to speak to your board, but the opportunity for board education on security issues is a critical matter. It will set the table for future compliance and security/privacy issues (and expenses) you might have to present to the board.
10: Brief legal counsel on audit results
Almost always, the pace of law lags the pace of technology. If your auditors brief you on new or upcoming compliance, privacy, and security trends and regulations, be sure to share this information not only with your staff, board, and upper management, but also with your legal counsel.
Security and privacy: New challenges (ZDNet/TechRepublic special feature)
What ways have you found to make IT audits go more smoothly? Share your suggestions with fellow TechRepublic members.
Mary E. Shacklett is president of Transworld Data, a technology research and market development firm. Prior to founding the company, Mary was Senior Vice President of Marketing and Technology at TCCU, Inc., a financial services firm; Vice President of Product Research and Software Development for Summit Information Systems, a computer software company; and Vice President of Strategic Planning and Technology at FSI International, a multinational manufacturing company in the semiconductor industry. Mary is a keynote speaker and has more than 1,000 articles, research studies, and technology publications in print.