Take Control of External Audits

External auditors: You can’t live with them, but you can't avoid them either. Several readers expressed this sentiment after reading "Improving IT Health with Audits," November 2006, InstantDoc ID 93422, in which I wrote about how you could use internal auditing to improve IT services. I think everyone in IT would agree that external audits of IT services are disruptive and time consuming. But by actively managing your audits, you can make them smoother and more efficient.

The Audit Commitment
Conceptually, an external IT audit is a measurable demonstration that an organization’s IT staff is fulfilling its responsibilities. Many organizations face up to five external audits per year. If each audit takes three days, you could be spending almost 6 percent of the year working with external auditors. And that doesn't include the time spent preparing for the audit or putting together the post-audit response. With each audit comes an opportunity cost—the tasks you don't complete because you're busy explaining your policies and procedures to an auditor.

Improve the Process
It's in everyone's best interest to make audits efficient as well as effective. Here are five tips for minimizing the time each audit takes and smoothing the process.

1. Get the methodology and standards in advance. The standards to which you'll be audited (e.g., Sarbanes-Oxley, the Payment Card Industry Data Security Standard) should be decided before the audit begins. From each organization that will audit your IT services, get the standards to which you'll be held, then group together the similar requirements from each standard. For example, put all data-backup requirements in one category and all password policy requirements in another category. Grouping the requirements from all the standards helps you find inconsistencies in the standards and gives you an idea of how much overall compliance work your organization has to undertake before being audited. Because standards are often written by lawyers for other lawyers, not for technologists, you might have to ask your corporate legal staff for assistance in interpreting standards and determining whether the controls you've deployed are sufficient.
2. Schedule all audits to take place at about the same time. Treating audits as unique and isolated events often results in making changes for one audit that contradict a standard for an upcoming audit. Scheduling audits to take place at about the same time helps you reconcile differences in standards and make only one set of audit control changes for the year. Schedule audits at a time that's convenient to your business rather than to the auditors.
3. Place the burden of proof on the auditor. Each audit organization seems to have its own ideas about what constitutes a best practice. Some auditors request bizarre configuration settings or data governance practices without any real science to support them. If an auditor gives your organization a poor mark for something that you don’t believe is a best practice, put the burden on the auditor either to point out where the practice is mandated in the standard or to cite reputable sources that support the practice.
4. Record the cost of audits. Use activity-based accounting to calculate the amount of time each person involved spends on each audit and the value of that time according to each employee’s fully burdened wages (i.e., cash compensation plus bonus and benefits). You might want to get help from someone in your company's finance department who has a background in managerial accounting. Your organization can then build these costs into its business plan, and perhaps even pass the cost of the audit to the business unit that required it.
5. Beat auditors at their own game. To quote Sun Tzu in The Art of War: Keep your friends close, but your enemies closer. Take audit-training courses and become skilled in performing audits. In addition to having a better understanding of audits, you'll share a common language with auditors and benefit from better communication. For more information about auditing standards and training, go to the Information Systems Audit and Control Association (ISACA) Web site at http://www.isaca.org. Consider obtaining ISACA's Certified Information Systems Auditor (CISA) certification so that you can perform the secret auditor handshake at the outset of an audit—you might be surprised how far it will go.

Too Many Bad Apples
Because too many bad apples have reduced trust in corporate and data governance, external IT audits have become a legal liability shield and won't go away any time soon. Use these tips to take control of the auditing process and make audits less burdensome.