By developing the scope up front with the auditors, IT security can ensure that the auditors will spend time reviewing certain parts of business operations and give security an impartial view of those operations.
Along with scoping the audit, IT security needs to work with auditors to understand what else they might have on their agenda.
“Different audits may require different resources, so understanding the audit scope and schedule up front allows you to make sure that the appropriate individuals attend the necessary meetings,” Wyckoff says. “There’s nothing worse than sitting down for an audit meeting to quickly realize you do not have the appropriate resources in the room to answer the questions the auditors were looking to ask.”
Once the scope is identified and agreed upon, you can start working the prep work. “It is a good idea to get a list of requested items from the auditors in advance so you know exactly what documentation they will be looking for,” Wyckoff says. “If any cloud services are within the scope of the audit, you may want to request any service audits such as a SOC 1 or SOC 2 audit from the service organization.”
When preparing for an audit, it’s critical to understand what the auditors are looking at and how it’s relevant to your environment, adds Josh Feinblum, vice president of information security at security technology company Rapid7.
“Your preparation and response are wholly driven by the evaluated controls and purpose of the audit,” Feinblum, says. “Are the auditors using prescriptive benchmarks like ISO 27001, FedRAMP, or PCI DSS? Is the audit being done to help your organization improve its controls?”
Eliminate any disconnect between IT and the compliance/audit function. “This is drastically important,” Pike says. “One of the biggest problems with IT audit is that the results are often meaningless. The reason they are meaningless is because IT controls and audit control tests don't always get to the root of a potential risk.”
For example, a control test might request verification that user passwords are changed every 30 days. “In response, an IT professional might provide the auditor with a screenshot of a domain policy that, sure enough, shows a box that is checked and a setting of 30 days for changing passwords,” Pike says.
“The problem is that this evidence alone doesn't actually tell an auditor enough to actually verify that all users are forced to change their passwords every 30 days,” Pike says. “There could be a number of exceptions or technological problems that allow user passwords to remain unchanged indefinitely.”
Unfortunately, there is often a lack of coordination between IT and the audit function. “The auditor has a task to do and the IT professional probably views it as a burden,” Pike says. The two need to communicate about exactly what’s needed.
Sign up for CIO Asia eNewsletters.