How to breeze through your next compliance audit

Share this article:
Bill Evans (left) and Tim Sedlack (right) of Dell Software.
Bill Evans (left) and Tim Sedlack (right) of Dell Software.

If you were to ask an IT professional to name the one thing they dread most, a visit from the auditor would likely be right up there next to Windows XP migration. Due to the massive and ever-growing list of compliance regulations, organizations are finding themselves in the crosshairs of audits. In a perfect world, these enterprises would know exactly when an auditor is going to show up, the questions they will ask, and data would be presented on a silver platter ready to prove the organization's compliance. Nevertheless, compliance audits do not work that way, but there are a number of ways to minimize the fear before an audit.

Eliminate complexity and consolidate data. If an organization's IT infrastructure is set up in silos and has a separate administrator for every platform, each will need to perform a search and query to show which data an employee has access to, along with how they obtained that access. An auditor may ask, “How many systems/applications are currently accessed?” Say there are nine systems. That means that at least nine administrators have to search to see if someone has access, then look through event logs to determine where that access came from. It's also likely that nine different applications exist within the same organization, leaving administrators to show then that someone is not able to access those applications. Needless to say, it would be easier to eliminate the complexity and store all of the data in one searchable database.

Get the auditor out of the office as quickly as possible. You don't need to rush the auditor out the door, but all data should be easily accessible and searchable so the auditor doesn't need to wait while you search for the proverbal needle in a haystack. For example, if identity access data is consolidated in one location and can be searched quickly, an auditor will be able to run their report and be on their way in a timely manner.

Explain continuous control. Sharing data with an auditor is risky. If you offer too much information, they will likely dig deeper and spend more time auditing your company. Impart to the auditor that you have software in place that keeps your organization in compliance. This data may answer the auditor's question about how your organization maintains continuous control. By exposing the software and processes your organization has in place will prove to the auditor that your organization is truly compliant in a 24/7 fashion. Keeping methods in place that alert you to non-compliance and long-term log storage configuration will also help to prove continuous control.

Take on the role of the auditor to find errors first. Discovering a compliance violation is not ideal for any organization, but finding it during an audit is worse because it leaves IT scrambling to fix something that was missed. Why not run reports ahead of time? For example, if you know the auditor is coming to evaluate how your organization adheres to PCI requirements, it would be helpful to run reports specific to those requirements to see how your organization stacks up. If you do find an error or violation you can address it before the audit begins. This will prevent an IT department from being caught off guard during an audit.

Following these steps can help you fly smoothly through your next audit in an efficient and potentially rewarding way for you and your auditor.
Share this article:
close

Next Article in Opinions

Sign up to our newsletters

More in Opinions

Unfair competition: Proactive preemption can save you from litigation

Unfair competition: Proactive preemption can save you ...

With each job change, the risk that the new hire will bring confidential information or trade secrets with him or her to the new company grows.

Hackers only need to get it right once, we need to get it right every time

Hackers only need to get it right once, ...

Hackers only need to find one weak point to steal valuable information. On the flip side, security pros need to account for every possible scenario.

Successful strategies for continuous response

Successful strategies for continuous response

While it isn't realistic for organizations to expect that it will never happen to them, a rapid, professional and continuous response can limit their scope and reputational impact.