10 ways you’re failing at IT audits
- 05 July, 2017 20:00
Nobody likes an audit. Even in the best of outcomes, audits take up valuable time that can be used to improve services and grow the bottom line. But a failed IT audit can ruin your week faster than a denial of service attack. Worse, a negative IT audit can feel like a report card on your management ability — and future.
But it doesn’t have to be that way. The next time an internal or external audit group comes sniffing into your IT infrastructure, policies and operations, it can go well — even provide proof of your performance — as long as you’re prepared.
And the first step is to avoid the following all-too-common IT audit mistakes. Heed these warnings and you should be able to avert an IT audit disaster.
Your know less about your tech assets than your auditor does
The best defense against negative IT audit results is to know your technology environment inside out. Few people expect an IT leader to personally know each asset, so you have to rely on the process, technology, and people.
[ Beware the 12 'best practices' IT should avoid at all costs. | Get an inside look at 10 real-world digital transformations. | Get the latest insights by signing up for our CIO daily newsletter. ]
“Many organisations I see in Canada still struggle to identify all their technology assets,” says Felix Acosta, manager of CIO advisory at KPMG, a consulting firm. “There is a particular challenge in organisations with older equipment such as an unlabelled server sitting in a room,” he adds.
In many companies, the quality of your IT inventory information is the greater challenge.
“I have seen cases where the organisation has spreadsheets and notes in various places about their technology assets. However, those tracking processes are typically updated manually. Scrambling to update these tracking documents right before an audit is a common practice,” Acosta says.
“If you do not know what your technology assets are, you are likely to have problems with audits,” Acosta explains. After all, if you do not know your assets, how can you enforce controls and document that action? There are a variety of software products on the market that can help with hardware and software asset management. However, these systems may not be comprehensive. For instance, telling an auditor that you do not track cloud assets will not put you in a good light.
You rely on manual processes to address auditor requests
Configuring servers, tools and other technology assets to meet deadlines and fulfill compliance requirements is difficult. And if you aren’t using automation tools to help you, you’re setting yourself up to fail.
Here, John Ray, senior consultant at Shadow-Soft, an open source integrator, recommends an auditing and testing framework.
“I have used Chef Inspec to create easy-to-read reports for auditors. It takes some customisation to achieve results, but it has worked out well,” Ray says. “Rather than using spreadsheets and manual tracking to meet compliance needs, it is much better to use automation tools like Inspec.”
The ability to easily track assets and your environment is especially important when fines and added spending is on the line. That is a key challenge for CIOs when it comes to audits from software vendors.
You have no capacity to challenge software vendor audits
Some technology leaders face greater struggles with software vendor audits, where the stakes are even higher. When a vendor comes in to audit whether you are in compliance with their licensing, it’s best to be prepared for a fight.
“In my experience, software audits are often the most painful practices. I have seen software vendors change the rules. That makes it difficult to know about the changes and keep up with them,” says Gary Davenport, CIO mentor and board member of the CIO Association of Canada. Previously, Davenport served as CIO at the Hudson Bay Company, a national retailer in Canada.
Software vendor audits directly translate into higher expenses in many cases. Take IBM’s change to Passport Advantage for example. As The Register reports: “The message is clear: if you cannot prove during an audit exactly when an overuse took place you pay a full two years' maintenance — that is 40 per cent of license cost.”
Software audits are how high tech plays hardball, and IBM is far from alone in pursuing additional payments. There are specialised consultants and lawyers dedicated to helping clients who face vendor audits from Oracle, Microsoft and other large software firms.
You do not act quickly on audit findings
If the worst-case scenario occurs, you will find yourself with serious audit failures to address. In those cases, a rapid response is the best course.
“You can expect auditors to follow up with you and ask what your response will be,” says Michael Leidinger, CTO of Hilton.
If managers neglect their responsibilities, auditors are not likely to stay quiet about problems they detect. Executives are often copied on audit results so slow responses will be noted up the chain of command.
Don’t let failing an IT audit be the first step toward a long, hard fall.
You haven’t established a relationship with your auditors in advance
Including auditors as project stakeholders is one of the best ways to avoid painful problems later in the process.
“Including IT auditors in your technology projects makes life easier for everyone. If auditors come in after you have implemented a major system, implementing their suggestions will be much more difficult,” Davenport says. “Including audit in major projects saves time and money. It is also one of the best ways to develop a positive working relationship with the audit group.”
If your group has had a transactional or ad hoc connection with an audit in the past, that is not the only way to operate. Developing an ongoing relationship with audit will help you build trust and minimise communication difficulties.
You haven’t prepared your staff for audit success
Absent any preparation and guidance; an audit is an unsettling experience for your staff.
“Internal audit plays a role in helping the company achieve success. I explain to our staff that they have a job to do and we need to support them in carrying out that work,” says Davenport.
This approach may be supplemented by asking experienced staff to guide newer staff on audit requirements. This kind of informal support approach is not always enough. Consider establishing an ongoing relationship with the audit function at your company.
You have no audit engagement process in place
If your staff feel uncertain or fearful about how to engage with auditors, audits are unlikely to unfold smoothly. Assigning audit management to a few staff is one way to improve.
“When we prepared to take Hilton public, there was a major increase in audit activity. Many of our technology staff were uncertain how to address audit questions,” says Leidinger. “Eventually, we brought two people on board with the responsibility to manage IT audits with experience in audits and technology. They make a great contribution to facilitating the audit process,” Leidinger adds.
You treat auditors like an enemy
Few people are happy to hear about an upcoming audit of their division. Who wants an outside expert reviewing your operation, documentation and interviewing staff? Viewing auditors as adversaries only leads to further problems.
“I view audit as another business stakeholder. Regular meetings with auditors are a key part of the process,” Leidinger says. “In many cases, auditors review our processes against well-known standards and best practices. That assessment helps to validate our process. As we transition our organisation to agile, audit has reviewed our processes and approach. IT has helped us to make a successful transition.”
Preparing your staff to meet these expectations will go a long way toward achieving successful audit results, and you can only do that by viewing auditors as partners in that process — not adversaries. After all, if your organisation is carrying out a business transformation, an audit can serve as an objective way to measure performance in support of goals, and can potentially result in more resources if auditors believe additional resources to be necessary to achieve them.
You trap your staff in complex policies and procedures
As soon as a company reaches a certain size, policies and procedures become indispensable to managing growth. However, your staff may struggle to stay compliant with policies.
“A few years ago, our company launched a major effort to simplify our policies. We sought to make our policies easier to understand and reduce them in number,” Leidinger says. By reducing the policy compliance burden, succeeding in audits became easier.
Simplifying an organisation’s policies and procedures is no easy task. It will likely require subject matter experts from multiple units, including compliance, accounting, audit and human resources. Alternatively, you may sponsor simplifying policies specific to the technology area. Consider Sam Carpenter’s book Work the System: The Simple Mechanics of Making More and Working Less for additional insight on how to develop and regularly adjust business procedures and policies.
You have set yourself up for death by a thousand exceptions
Most corporate policies have a process to allow exceptions. These deviations from corporate policy pose a challenge for auditors. Take software patching as an example.
“A recent client faced auditor questions about their software patching methodology. There was a documentation process, but some of the details were not specified. This became an issue because immediately applying a security patch would break an application. The auditor wanted more in-depth process about how exceptions would be handled,” Ray says.
Delayed implementations of security patches increase security risks, so it pays to document the rationale for your delay.
Improving your audit results as a technology leader relies on a few principles. First, recognize the value that auditors bring to the entire organisation. Next, develop an internal process to manage audit activities including closing gaps and answering questions. Finally, seek to develop an ongoing business relationship with the audit group. As Hilton’s Leidinger puts it, “I view audit as another stakeholder with perspectives we need to address in our work.”