The hooded figure approached the door ever so slowly, as if he wanted each step to cause insufferable pain. As he reached his bony hand to ring the bell for admittance into the sanctum, his scythe reflected the intermittent lighting emanating from a defective overhead bulb. Somewhere in the distance, a bell tolled.
If this is the mental picture you conjure when you have been told that you're going to undergo an audit, you're probably not alone. There are many that fear the auditor as much as they fear the grim reaper and for the same reason - they have never met either of them. Yet many have heard stories about them that send chills down one's spine. And like many a ghost tale, the facts are exaggerated and rarely resemble the truth.
The purpose of the audit function is to assist someone (a governing body, management, the public, or any other individual or organization) in their capacity as an oversight body, to ensure that management is running the organization properly. The credibility of the audit bodies stem from the fact that they are impartial third parties who have no vested interest in the outcome of the audit other than to present a fair assessment of their findings.
Organizations employ internal auditors to assess and maintain the integrity, efficiency, and effectiveness of financial and other management control systems within the organization. Organizations employ external bodies for audit to gain an outsider's "stamp of approval" on their operations or are subject to external audit by an oversight body that wants an independent measure of an organization.
There are many kinds of audits that can be performed by either an internal or external auditing organization. Some of these are: Operational Audits, Financial Audits, Information Systems Audits, and Compliance Audits. Generally speaking, audits, no matter the type, consist of four phases: Planning, Fieldwork, Reporting, and Follow up.
The Planning Phase usually consists of an engagement letter that outlines the scope of the audit and is sent to the senior manager of the organization. This is followed by an initial or entrance meeting in which the audit team is introduced to management and the objectives of the audit are further clarified. The audit team at this time will probably request additional detailed information that will help them create their engagement plan.
The engagement plan in terms of what the auditor's needs are, when they will begin their fieldwork, types of information needed, key individuals identified etc. is presented to management before fieldwork begins.
The Fieldwork Phase is the information gathering phase during which the audit team will be present on premises collecting information via records review, interview, survey, testing, and any other means appropriate to the type of audit being conducted. This phase is concluded when the auditor has compiled a list of findings on which to base his draft audit report.
The Reporting Phase begins with an exit conference during which the findings are discussed with senior management. The audit team will then create a report of their major findings and recommendations. The less significant or risky findings are usually dealt with in a management letter. The draft audit report will be presented to management for fact validation and any responses to the findings. A finalized report is then prepared and distributed to the appropriate parties.
Depending on the type of audit and the results of the audit, a follow-up audit can be conducted as part of the Follow-up Phase.
There obviously is a great deal of detail that I have glossed over in my description of an audit above, however I believe I have provided enough information to demystify the process and give the potential subject of an audit some idea of what he or she can expect. More importantly, I wanted to save some space in my writing to give you some pointers on how to prepare for an audit. So here are my top ten tasks to prepare for an audit:
1. Get a copy of your organization's last audit. Read it and look for findings related to your area of responsibility. If you are cringing when you read it because you recognize that the findings describe your current operations, be aware that you will probably see those findings again. Depending on the findings, you may be able to put corrective actions into place pre-audit that can save you some heartache later.
2. Update your policies and procedures and make sure they have been distributed to employees.
3. Gather your documentation. If you don't have documentation regarding a policy or procedure, you have nothing. For example: You may have a policy or procedure that says that all changes to a server must be documented in a change control log. If you can't produce the log or no one has been keeping the log up to date, it's akin to having done nothing at all. Telling the auditor that staffers inform each other of the changes made is pretty much a waste of breath - if it's not in writing, it didn't happen.
4. Documentation can consist of phone logs, e-mails, faxes, letters, memos, voicemail, system logs, and so on. In the example above, if it can be shown that an e-mail was sent out to all concerning the server changes each time a change was made, this can serve as proof that the procedure was followed.
5. Understand what separation of duties means. This is a tough one for IT shops that are thin on personnel and have people perform more than one function. Here's the definition:
"Separation of duties in basic terms means that no single individual should have control over two or more phases of a transaction or operation, so that a deliberate fraud is more difficult to occur because it requires collusion of two or more individuals or parties."
For example, the system admin for a payroll system should not be the person responsible for assigning accounts and passwords within the system nor should they have a log in.
6. Understand what kind of audit your unit will be undergoing. The different kinds of audits will focus on different kinds of things. For example, if you're undergoing a financial audit and your unit doesn't have access or control over a financial system, other than perhaps reviewing your purchases, your unit may not even be looked at.
7. Find that "lost" equipment. Update your inventory - especially items that cost more than $500.00
8. Be able to show how equipment was procured.
9. Review your backup and recovery procedures.
10. Review your security procedures. Be able to demonstrate a patch management strategy.
An audit can be a harrowing exercise, particularly if one's organization is flying by the seat of its collective pants. The more one can invest in the time it takes to define policies and procedures, document adherence to those procedures, separate duties as much as possible, and perform all those mundane tasks that people like to put off because they're overworked, the smoother things become at audit time. I think the most important thing one can do prior to an audit is to get to know your organization's internal auditor/inspector general. That person is there to help you make sure you are doing the right things that will enable you to pass an audit. Approaching him before he approaches you is a good start at avoiding the nightmare one can conjure up once you have been informed that an audit is coming.