IT audits can feel like a grim nuisance, but great value awaits those who heed these common mistakes that inevitably lead to an IT audit disaster.
Nobody likes an audit. Even in the best of outcomes, IT audits take up valuable time that can be used to improve services and grow the bottom line. But a failed IT audit can ruin your week faster than a denial of service attack. Worse, a negative IT audit can feel like a report card on your management ability — and future.
But it doesn’t have to be that way. The next time an internal or external audit group comes sniffing into your IT infrastructure, policies and operations, it can go well — even provide proof of your performance — as long as you’re prepared.
And the first step is to avoid the following all-too-common mistakes in IT audits. Heed these warnings and you should be able to avert an IT audit disaster.
Your know less about your tech assets than your auditor does
The best defense against negative results from IT audits is to know your technology environment inside out. Few people expect an IT leader to personally know each asset, so you have to rely on the process, technology, and people.
“Many organizations I see in Canada still struggle to identify all their technology assets,” says Felix Acosta, manager of CIO advisory at KPMG, a consulting firm. “There is a particular challenge in organizations with older equipment such as an unlabelled server sitting in a room,” he adds.
In many companies, the quality of your IT inventory information is the greater challenge.
“I have seen cases where the organization has spreadsheets and notes in various places about their technology assets. However, those tracking processes are typically updated manually. Scrambling to update these tracking documents right before an audit is a common practice,” Acosta says.
“If you do not know what your technology assets are, you are likely to have problems with audits,” Acosta explains. After all, if you do not know your assets, how can you enforce controls and document that action? There are a variety of software products on the market that can help with hardware and software asset management. However, these systems may not be comprehensive. For instance, telling an auditor that you do not track cloud assets will not put you in a good light.
You rely on manual processes to address auditor requests
Configuring servers, tools and other technology assets to meet deadlines and fulfill compliance requirements is difficult. And if you aren’t using automation tools to help you, you’re setting yourself up to fail.
Here, John Ray, senior consultant at Shadow-Soft, an open source integrator, recommends an auditing and testing framework.
“I have used Chef Inspec to create easy-to-read reports for auditors. It takes some customization to achieve results, but it has worked out well,” Ray says. “Rather than using spreadsheets and manual tracking to meet compliance needs, it is much better to use automation tools like Inspec.”
The ability to easily track assets and your environment is especially important when fines and added spending is on the line. That is a key challenge for CIOs when it comes to audits from software vendors.
You have no capacity to challenge software vendor audits
Some technology leaders face greater struggles with IT audits, where the stakes are even higher. When a vendor comes in to audit whether you are in compliance with their licensing, it’s best to be prepared for a fight.
“In my experience, software audits are often the most painful practices. I have seen software vendors change the rules. That makes it difficult to know about the changes and keep up with them,” says Gary Davenport, CIO mentor and board member of the CIO Association of Canada. Previously, Davenport served as CIO at the Hudson Bay Company, a national retailer in Canada.
Software vendor audits directly translate into higher expenses in many cases. Take IBM’s change to Passport Advantage for example. As The Register reports: “The message is clear: if you cannot prove during an audit exactly when an overuse took place you pay a full two years’ maintenance — that is 40 per cent of license cost.”
Software audits are how high tech plays hardball, and IBM is far from alone in pursuing additional payments. There are specialized consultants and lawyers dedicated to helping clients who face vendor audits from Oracle, Microsoft and other large software firms.
You do not act quickly on audit findings
If the worst-case scenario occurs, you will find yourself with serious audit failures to address. In those cases, a rapid response is the best course.
“You can expect auditors to follow up with you and ask what your response will be,” says Michael Leidinger, CTO of Hilton.
If managers neglect their responsibilities, auditors are not likely to stay quiet about problems they detect. Executives are often copied on audit results so slow responses will be noted up the chain of command.
Don’t let failing an IT audit be the first step toward a long, hard fall.
You haven’t established a relationship with your auditors in advance
Including auditors as project stakeholders is one of the best ways to avoid painful problems later in the process.
“Including IT auditors in your technology projects makes life easier for everyone. If auditors come in after you have implemented a major system, implementing their suggestions will be much more difficult,” Davenport says. “Including audit in major projects saves time and money. It is also one of the best ways to develop a positive working relationship with the audit group.”
If your group has had a transactional or ad hoc connection with an audit in the past, that is not the only way to operate. Developing an ongoing relationship with audit will help you build trust and minimize communication difficulties.
You haven’t prepared your staff for audit success
Absent any preparation and guidance; an audit is an unsettling experience for your staff.
“Internal audit plays a role in helping the company achieve success in IT audits. I explain to our staff that they have a job to do and we need to support them in carrying out that work,” says Davenport.
This approach may be supplemented by asking experienced staff to guide newer staff on audit requirements. This kind of informal support approach is not always enough. Consider establishing an ongoing relationship with the audit function at your company.
You have no audit engagement process in place
If your staff feel uncertain or fearful about how to engage with auditors, audits are unlikely to unfold smoothly. Assigning audit management to a few staff is one way to improve.
“When we prepared to take Hilton public, there was a major increase in audit activity. Many of our technology staff were uncertain how to address audit questions,” says Leidinger. “Eventually, we brought two people on board with the responsibility to manage IT audits with experience in audits and technology. They make a great contribution to facilitating the audit process,” Leidinger adds.