If you were to ask an IT professional to name the one thing they dread most, a visit from the auditor would likely be right up there next to Windows XP migration. Due to the massive and ever-growing list of compliance regulations, organizations are finding themselves in the crosshairs of audits. In a perfect world, these enterprises would know exactly when an auditor is going to show up, the questions they will ask, and data would be presented on a silver platter ready to prove the organization's compliance. Nevertheless, compliance audits do not work that way, but there are a number of ways to minimize the fear before an audit.
Eliminate complexity and consolidate data. If an organization's IT infrastructure is set up in silos and has a separate administrator for every platform, each will need to perform a search and query to show which data an employee has access to, along with how they obtained that access. An auditor may ask, “How many systems/applications are currently accessed?” Say there are nine systems. That means that at least nine administrators have to search to see if someone has access, then look through event logs to determine where that access came from. It's also likely that nine different applications exist within the same organization, leaving administrators to show then that someone is not able to access those applications. Needless to say, it would be easier to eliminate the complexity and store all of the data in one searchable database.
Get the auditor out of the office as quickly as possible. You don't need to rush the auditor out the door, but all data should be easily accessible and searchable so the auditor doesn't need to wait while you search for the proverbal needle in a haystack. For example, if identity access data is consolidated in one location and can be searched quickly, an auditor will be able to run their report and be on their way in a timely manner.
Explain continuous control. Sharing data with an auditor is risky. If you offer too much information, they will likely dig deeper and spend more time auditing your company. Impart to the auditor that you have software in place that keeps your organization in compliance. This data may answer the auditor's question about how your organization maintains continuous control. By exposing the software and processes your organization has in place will prove to the auditor that your organization is truly compliant in a 24/7 fashion. Keeping methods in place that alert you to non-compliance and long-term log storage configuration will also help to prove continuous control.
Take on the role of the auditor to find errors first. Discovering a compliance violation is not ideal for any organization, but finding it during an audit is worse because it leaves IT scrambling to fix something that was missed. Why not run reports ahead of time? For example, if you know the auditor is coming to evaluate how your organization adheres to PCI requirements, it would be helpful to run reports specific to those requirements to see how your organization stacks up. If you do find an error or violation you can address it before the audit begins. This will prevent an IT department from being caught off guard during an audit.
Following these steps can help you fly smoothly through your next audit in an efficient and potentially rewarding way for you and your auditor.
