February seems to be audit month where I work. All kinds of auditors come in and of course, all of them want to know about the security controls of IT systems, which means just about every audit is an IT audit. Having been through this for the past several years, I thought I'd share my top six tips for getting through IT audits and Information Security audits, in particular.
Tip #1 - Be prepared, if possible
If you know that February (or whatever month) is typically the time auditors show up, put a reminder on your calendar at least 30 days in advance and start reviewing your data. For example, sometimes you need to show that you've done an annual review of policies and procedures. Great, do that during your 30 day window. If it takes longer, set a longer reminder. If you know that a process has fallen apart, take time to revitalize it. If you believe some sort of required documentation might not be up to par, take time to fix it. This is not cheating, this is ensuring your policies, procedures and processes are in state of continuous readiness. If you get surprised by an audit item request, first consider whether it's legitimate or not. If it is and you're unprepared, simply add that to your preparedness list for next time and take appropriate remedial actions based on audit findings.
Tip #2 - Tell the truth, sparingly
This may sound like I'm saying don't tell the whole truth. Not so. The message here is to always tell the truth, but that doesn't mean you have to air all the company's dirty laundry. For example, perhaps you have a process in place for X, but it's not as tight as you'd like it to be. Depending on what the auditor is looking at, your answer might be "Yes, we do X." or your answer might be "Yes, we do X most of the time, but that's an area for some improvement." or your answer might be "Well, if you can call X a process, I guess, but when Marty took over, he thought he knew better than everyone and he...." Not good. So, don't mislead, but don't spill your guts, either. This leads us to the next tip.
Tip #3 - Understand the broader context and contain the ask
It's important for you to understand the what objectives of the auditors are and what their scope is. It's completely acceptable, when sitting down with any auditor, to ask them some questions to establish this information. For example,
1. Tell me about the purpose of this audit
2. How long will you be on-site auditing
3. What is the scope of your audit
4. What types of documentation will you be asking for
When you understand that you're undergoing a HIPAA audit or a financial audit or a cyber security insurance audit, you can better frame your responses. That means that if the auditor asks for log files related to accessing the medical record, they would be out of line to ask for a list of all employees who have access to the financial systems (as an example). In addition, sometimes auditors will pursue a line of questioning because they see or sense something is off. This is one reason why it's important not to hide anything or to misrepresent the truth. If they understand you are being forthcoming with them, they are less likely to keep digging. And, we all know, the longer you dig, the more you're likely to find. Now, that might be good news or bad news, depending on how you look at it. However, what often happens is that scope becomes a slippery slope and you find yourself discussing things that are really out of scope, but you inadvertently opened the door on it.
Containing the ask means managing the scope. If they ask for X, don't give them X, Y and Z. Out of context, Y and Z might raise far more questions than necessary. Also, some auditors push the boundaries.
Here's a recent example a colleague shared with me.
After discussing audit items, their auditor came back with a clarifying question regarding their annual risk assessment schedule. My colleague, I'll call her Callie, provided the information and the auditor asked when she was going to schedule 2017 activities.
Hmmm. Not really an audit question. It's none of their business when she conducts a risk assessment or a penetration test, really. The question caught her attention, but she answered anyway because she already had the risk assessment scheduled. She indicated she'd just recently issued a PO to a company to perform her risk assessment for this year. The next day, she received an email from the auditor asking her to provide a schedule for 2017 for things like additional regulatory assessments, penetration testing, network monitoring, etc. The auditor's email concluded with a sales pitch for conducting these assessments.
Concerned, she forwarded the email to her in-house expert and shared her thoughts - that this was inappropriate and out of bounds.
She was advised to respond to their email indicating that 2017 activities were not in scope, but that she'd keep the company in mind should she have a need. She won't likely hire them for anything given this blurring of professional boundaries, but she handled it in a clear, concise manner and did not allow scope to creep.
Tip#4 - Respond as quickly as possible, review and contest results
You want to respond to requests for information as quickly as possible. The longer you wait, the more time that gives your auditors to wonder about what you might be up to. There is a normal turn around time for any request, but often you're better off dribbling information to them (as appropriate) than waiting 90 days to produce everything at once (for example). Though every audit is different, be sure to understand the expected pace of information flow so you don't inadvertently raise red flags with the auditors.
Once you receive their draft results, READ IT CAREFULLY. Scrub it. Think through the implications of everything they report. If they are inaccurate, if they have misstated or misconstrued the situation, set it straight, in writing. Understand what your options are for disagreeing with an assessment (whether it's a single sentence, an item or an entire report). Work with your in-house representatives (perhaps your CFO or CLO) to understand options if you find the results to be off-base.
Remember, the purpose of an audit is to review practices to ensure the company is compliant in some manner. Often these are voluntary audits the company undergoes by hiring an outside auditing firm. Other times, these are involuntary regulatory or legal audits that you are required to undergo. Either way, you need to remain cool, calm and collected and think rationally about the findings and the implications of those findings. If they uncover a problem and they're right, so be it. Deal with it by creating an action plan and remediate the issues. If they're wrong, provide evidence that they are wrong and refute it professionally in writing.
Your fiduciary responsibility is to ensure your company and its practices under your control ARE compliant, but we all know that compliant does not equal safe. In the realm of information security, I can have a very secure environment and fail to be fully compliant if I haven't reviewed all policies and procedures in 12 months. OK, I understand why that's important, but what I always say is "I'll focus on locking the door before I'll sit down and write about it." In a perfect world, we would be able to do both, but if you have to prioritize (and most of us do), ensure your covering the most important work first. If that leads to audit findings about the completeness of your paperwork, that's better than a finding about the security of your infrastructure.
Tip#5 - Be kind to your auditors
Voluntary audits are paid for by your company, so this is a company sponsored undertaking and you should view it that way. Involuntary audits are often nerve wracking and they start out feeling hostile from the very beginning. Remember that these folks have a job to do, just like you do. Being polite and professional is not a tool to manipulate a positive outcome, but it does help avoid the auditor taking an adversarial point of view.
Offer them a decent place to work; show them where the restrooms are, where the break room is, where the water cooler is, where local places to eat are that might be convenient, etc. You don't have to cozy up to them, but be kind. It will help reduce tension and will help create a more collaborative environment. You may find that you learn a lot from your auditors, such as how others handle similar situations, best practices and areas where all of their clients struggle, if you have the opportunity for casual conversation.
Tip #6 - Learn From Your Mistakes
So, the audit's over and it was a bit of a blood bath. The auditors had findings that you couldn't quite dispute, you feel like you run a tight shop but several key shortcomings were called out. Ouch. It hurts - your ego, perhaps your department or your professional reputation. Take time to cool down, read through the report again in the privacy of your cubicle or office. Think. Is this a fair finding? Could we do better here? Are they expecting perfection or just improvement?
Typically, it's about making improvements. If you have glaring gaps, you need to have a serious talk with yourself, your team and/or your management so you can figure out why you're so far off the mark. If you have some findings because things are not in tip-top perfect shape, that's normal. If you can look at the report as your opportunity to fine-tune your organization, if won't feel as punitive.
My goal in the audit process is to get an accurate and impartial view of my policies, procedures and practices against industry standards. I expect findings, so I'm rarely unnerved when I receive them if they're on target. My goal for every audit is that the auditor reports back to me and to the organization that things are substantially good (heck, I'll take "great" if it comes up) but there are opportunities for improvement.
Remember, any auditor digging deep enough can find something. It's the nature of auditing. So, rather than having an emotional reaction to it, try to see it as an opportunity to have someone look from the outside in and tell you what they see.
It's never fun, it's rarely easy, but ultimately you can put the information to good use and improve your organization. Keep the end in mind and you'll survive audit season.