Why Is Your IT Audit Taking So Long?
There's no shame in admitting that audits are hard. For those of us in IT, hearing the word "audit" probably brings up a groundswell of negative connotations and the corresponding aggravation and headache: We know from having lived through it that tech-heavy regulatory audits -- annual PCI assessments, HIPAA audits, ISO, etc. -- cut directly into our staff's ability to get their already-busy jobs done.
Expect reduced productivity from employees, intrusive questions that take time to research and answer, extra hours spent gathering evidence and reports, dusting off documentation you haven't seen in ages -- and not to mention the possibility of audit exceptions and not-so-flattering observations as a result.
In some respects, going through an audit is a lot like running a marathon: certainly doable. but grueling without adequate preparation. I've never run a marathon, but I remember running the mile in gym class. For me, it was pretty hard since I wasn't in the best shape. Later, after I started a jogging regimen, running a mile got much easier. The point: If you put the effort into training and preparation, you can take a challenging task and make it easy. The same is true of the audit process.
Now, I'm not suggesting that you spend inordinate amounts of time and effort just to get ready on the off chance that an auditor should show up; but most companies have the opposite problem. Many firms do very little preparation and advance work for an audit. It's sad to watch: The same firm might get caught year after year in the same reactive cycle of scrambling to respond to the same questions. By putting in the prep time, they could have sailed through the process instead -- and even if they didn't have time to prep fully, even just a little bit of legwork could have reduced much of the overhead.
So with that in mind, let's examine a few ways in which you can streamline the audit process in your organization -- ways you can not only reduce the overhead, but also increase your chances of getting accurate data and fewer issues to remediate.
Step 1: Reduce, Reuse, Recycle
The first thing to remember when it comes to streamlining any audit is to make sure that you view the audit itself as a way to prepare for future audits. In other words, this year's audit is prep work for next year's. No matter what standard you are being audited to (HIPAA, PCI, ISO, etc), remember that the standards tend not to change very frequently. So if an auditor asks you about a particular topic this year, chances are they'll ask about it again next time. So keep a record of what they ask you and who they ask. That way, when they ask you who to talk to about a particular topic, you don't have to do any research -- you already know.
With respect to evidence (log files, account records, system change documentation), keep a record of what evidence they asked for in prior audits and how you collected it. Some of the logs and records they ask for can be tough to produce (and require a learning curve to produce them) -- knowing how to get it done saves you time. Best case: Automate the collection of the evidence so that you can just whip it up if need be with minimal overhead. If you can't automate, at least write instructions so that when the time comes, you can once again get to the evidence that you need. Remember that people change jobs, so the person who produced the report last year may no longer be around to make it happen again this year.
Step 2: Know the Standards
Some people think that it's the auditor's job to know the standards and it's the firm's job just to answer questions. Not so! This attitude is counterproductive to an efficient and well-run audit. In point of fact, the audit process works best when you know the requirements at least as well as the auditors do themselves. Think about it like a test where you have answer key in the back of the book -- it's up to you to read it or not. The regulations are the benchmark, and most of the time they are documented publicly. Failing to read them ahead of time (and prepare accordingly) is a missed opportunity.
Be careful not to go all the way to the other extreme, though. For example, not every employee in your company has to become an expert at every regulation -- but somebody should have a decent working knowledge of what your firm needs to do to comply. Maybe that person is the compliance office, maybe it's the security team, maybe it's counsel. Whoever it is, make it part of their job to keep up with changes to the regs, to learn what they mean, and learn where "gray areas" are that are points of dispute among auditors.
Step 3: Don't Go In Cold
When should the audit start? I'll tell you one thing: It's not the day the auditor shows up. If you wait until folks are actually on your premises before you start, you're in for a hassle. Do some pre-work ahead of time and put a cogent "story" together in writing that explains how you've addressed the requirements in scope. If you've done remediation work, write it down. If you have compensating controls, write them down.
Anyone can miss the boat, so if you find yourself in a situation where you don't have the pre-assessment complete, still spend some time thinking through ways you can demonstrate you're meeting specific requirements before you sit down with the auditors. Every standard has its own set of "gray areas" -- areas where individual interpretation can have an impact on whether or not a control is applicable or the lengths you have to go to meet the requirement. Understanding the requirements and coming to your own interpretation means you don't have to think on the fly during the interview. The most inaccurate answers (and those most likely to lead to exceptions) come when people lose their cool, misunderstand a question, or haven't done the research prior to an interview.
Finally, remember that in most audit scenarios, you are the customer. Your firm is most likely paying the auditor to be there (you're paying one way or the other: in overhead or in fees), so do the work; if the choice is prepare (pay less to get more) or do nothing (and suffer), make the wise choice.
Ed Moyle is currently a manager with CTG's information security solutions practice, providing strategy, consulting and solutions to clients worldwide, as well as a founding partner of Security Curve. His extensive background in computer security includes experience in forensics, application penetration testing, information security audit and secure solutions development.