If you work for a publicly traded company, a bank, or a healthcare organization, chances are you've already come into contact with IT auditors from your company's internal audit department, public auditors, or some type of government regulator or examiner. Even small companies aren't exempt from the IT audit process. If you provide services for larger public or regulated firms, your business partners will want assurance that sufficient controls are in place to protect their interests and prevent exposing them to risk. To provide that assurance, you'll probably have to let the business partner's IT auditors or an independent firm perform-an audit of your IT controls.
The knee-jerk reaction by many IT pros is to resent or even resist IT auditors and their processes or, at best, view audits as a necessary evil. But you might as well embrace the audit process and reap as much value from it as possible. Depending on the auditors, you might be able to use an audit as an opportunity to improve security, policy, and technical controls. By cooperating with auditors and understanding the real business goals behind the audit, you could also preempt recommendations that are off target and a waste of effort. To better cooperate with IT auditors, it helps to understand what they're looking for and how they work.
How Auditors Operate
Quite often a team of auditors will conduct the audit. This team might consist of a partner you rarely see but who signs off on the final audit, a senior auditor who directs the team, and two or three younger auditors who churn through the various reports, logs, documentation, and interviews collectively referred to as evidence. It's good to be aware of the various roles of team members so you communicate with the right people at the right time.
Make sure you understand the scope of an auditor's project. Public accounting firm auditors and government examiners usually operate within a limited scope that corresponds to their legislative mandate. For instance, if you work for a publicly held company, public auditors will focus on systems and applications that are termed financially significant; they'll also focus on controls that ensure the integrity of the company's financial statements. (See the sidebar "The Importance of Controls" for more information about this critical aspect of the IT audit.) Bank examiners focus on privacy of customer information and the safety and soundness of the bank. In the healthcare industry, the focus is on privacy of patient information.
Internal auditors, on the other hand, have a much broader scope because they're usually charged with identifying any type of risk to the company. Sometimes internal auditors also have a mandate to identify inefficient processes and waste.
Auditors will often know less than you do about Windows and other technologies, but don't write off their observations or methods. A good IT auditor can apply a fairly uniform product/technology methodology and identify risks or inadequate controls in your company.
Alternatively, many auditors rely on a work program, or audit program, to tell them what information to request and how to analyze it. Unfortunately, most audit programs I've seen for Windows and Active Directory (AD) are incomplete or ask for inconsequential or outdated information. However, unless a request is time consuming, I recommend cooperation; you'll get a chance to respond to the auditors' observations before the report is finalized.
Remember that auditors like documentation. This isn't because they're paper pushers but rather because audit techniques and legislation such as the Sarbanes-Oxley Act (SOX) require documentation to demonstrate that a process is actually followed. Claiming that you evaluate each security update as it's released isn't the same as producing brief minutes from each meeting in which you discussed the latest security updates from Microsoft and other vendors.
Audit reports vary slightly in format but generally consist of a list of observations or findings. Each finding will have a description of the risk, a recommendation, and usually a high, low, or medium criticality or priority rating. If the auditor can't make a good argument for considering the finding a risk, then it probably shouldn't be on the report, and you might consider making a case for having it removed before the final report comes out, depending on the dynamics of the audit process at your organization. Most audit processes also provide for management responses to each finding. These responses are documented at some point in the audit or follow-up work. When auditors cite or recommend a best practice, they're referring to a method or standard recognized as the preferred way to handle some task, whether it's managing access control or security updates.
A Win-Win Situation
An audit can be a positive thing. The audit report might identify some important areas in which you could improve security. Furthermore, auditors can often give you the needed justification for changing security
processes or investing in security technology that you've been unsuccessful getting approved on your own. At the same time, cooperating with the auditors helps build your reputation as a team player and results in a better audit.
