Tip Doctor, Insider Learning Network.
The following tip comes from Jamie Croudace’s presentation “Tips for Involving Internal and External Audit Teams in Your Security Design Process” at the GRC 2011 conference in Las Vegas.
Let’s face it, no one likes to be audited! Whether it is your internal auditors in the office, or the IRS looking into your affairs, we all choose to avoid the process if at all possible. However, as the audit companies become more technically savvy, and the importance placed on Sarbanes-Oxley compliance has grown, the necessity of involving audit (both internal and external) at all stages of your security implementation and subsequent ongoing support cannot be understated. Check out the following checklist of things that your organization should require from your auditors.
Checklist of Items You Should Require from Your Auditors
1. Before the audit
- Clear scope and rationale
- Defined communication/escalation protocols
- Understanding of how they intend to perform their work
- Will they rely on work of others?
- Will they be sample testing/inquiring?
- What in their approached has changed from the previous year’s approach?
- Understand who they want to talk to and for how long
- If they don’t know who specifically, get them to tell you generally what types of people so you can identify them before they are in the field
- Set up meetings with these people for the auditor in advance
- Fieldwork schedule (with clear delivery dates)
- Understanding of the deliverable
- Who will it be reported to?
2. Throughout field
- Updates to key dates/deliverables (verbal and written communications to avoid misunderstanding)
- Changes to scope / approach and why
3. Before they leave the field
- No surprises meetings with your control owners and operators (depending upon how large the scope is you may require these throughout)
4. Before they leave the field
- Preliminary issues/findings listing
- Any feedback on the environment generally, how the audit went, ways to make it more efficient in future
5. After they leave the field
- Formal report with recommendations
- Meetings to ensure all issues are understood fully and recommendations are feasible
- Area for management to respond (and do use this!)
- Final report issued with your comments incorporated… this is how you will ensure the issues are understood and you agree to them (you won’t fix anything if you don’t agree it’s a problem in the first place, right?)