Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


February 26, 2007

Take Control of External Audits

Make IT audits smooth and orderly
A Web Exclusive from Windows IT Pro
Ben Smith
The Business End
InstantDoc #94614
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Windows OSs Articles Here | Reprints
Or get the Monthly Online Pass—only $5.95 a month!

External auditors: You can’t live with them, but you can't avoid them either. Several readers expressed this sentiment after reading "Improving IT Health with Audits," November 2006, InstantDoc ID 93422, in which I wrote about how you could use internal auditing to improve IT services. I think everyone in IT would agree that external audits of IT services are disruptive and time consuming. But by actively managing your audits, you can make them smoother and more efficient.

The Audit Commitment
Conceptually, an external IT audit is a measurable demonstration that an organization’s IT staff is fulfilling its responsibilities. Many organizations face up to five external audits per year. If each audit takes three days, you could be spending almost 6 percent of the year working with external auditors. And that doesn't include the time spent preparing for the audit or putting together the post-audit response. With each audit comes an opportunity cost—the tasks you don't complete because you're busy explaining your policies and procedures to an auditor.

Improve the Process
It's in everyone's best interest to make audits efficient as well as effective. Here are five tips for minimizing the time each audit takes and smoothing the process.

  1. Get the methodology and standards in advance. The standards to which you'll be audited (e.g., Sarbanes-Oxley, the Payment Card Industry Data Security Standard) should be decided before the audit begins. From each organization that will audit your IT services, get the standards to which you'll be held, then group together the similar requirements from each standard. For example, put all data-backup requirements in one category and all password policy requirements in another category. Grouping the requirements from all the standards helps you find inconsistencies in the standards and gives you an idea of how much overall compliance work your organization has to undertake before being audited. Because standards are often written by lawyers for other lawyers, not for technologists, you might have to ask your corporate legal staff for assistance in interpreting standards and determining whether the controls you've deployed are sufficient.
  2. Schedule all audits to take place at about the same time. Treating audits as unique and isolated events often results in making changes for one audit that contradict a standard for an upcoming audit. Scheduling audits to take place at about the same time helps you reconcile differences in standards and make only one set of audit control changes for the year. Schedule audits at a time that's convenient to your business rather than to the auditors.
  3. Place the burden of proof on the auditor. Each audit organization seems to have its own ideas about what constitutes a best practice. Some auditors request bizarre configuration settings or data governance practices without any real science to support them. If an auditor gives your organization a poor mark for something that you don’t believe is a best practice, put the burden on the auditor either to point out where the practice is mandated in the standard or to cite reputable sources that support the practice.
  4. Record the cost of audits. Use activity-based accounting to calculate the amount of time each person involved spends on each audit and the value of that time according to each employee’s fully burdened wages (i.e., cash compensation plus bonus and benefits). You might want to get help from someone in your company's finance department who has a background in managerial accounting. Your organization can then build these costs into its business plan, and perhaps even pass the cost of the audit to the business unit that required it.
  5. Beat auditors at their own game. To quote Sun Tzu in The Art of War: Keep your friends close, but your enemies closer. Take audit-training courses and become skilled in performing audits. In addition to having a better understanding of audits, you'll share a common language with auditors and benefit from better communication. For more information about auditing standards and training, go to the Information Systems Audit and Control Association (ISACA) Web site at http://www.isaca.org. Consider obtaining ISACA's Certified Information Systems Auditor (CISA) certification so that you can perform the secret auditor handshake at the outset of an audit—you might be surprised how far it will go.

Too Many Bad Apples
Because too many bad apples have reduced trust in corporate and data governance, external IT audits have become a legal liability shield and won't go away any time soon. Use these tips to take control of the auditing process and make audits less burdensome.

End of Article

Reader Comments

You must log on before posting a comment.

If you don't have a username & password, please register now.




Top Viewed ArticlesView all articles
The Memory-Optimization Hoax

Don't believe the hype. At best, RAM optimizers have no effect. At worst, they seriously degrade performance. ...

VMware and the Future of Virtualization

What's next for virtualization and business IT? Windows IT Pro senior editor Jeff James speaks with VMware President and CEO Diane Greene on the future of virtualization technology. ...

Common .pst File Questions

Sue Mosher addresses some of the inevitable questions that Outlook users eventually ask about Personal Folders (.pst) files. ...
Windows OSs Whitepapers Replay for Exchange: Enterprise Protection and an Affordable Price

Are You Satisfied?

A Preliminary Look at Deployment Plans for Microsoft Windows Vista
Related Events Check out our list of Free Email Newsletters!
Windows OSs eBooks Understanding and Leveraging Code Signing Technologies

A Guide to Windows Disaster Recovery and Backup

A Guide to Windows Certification and Public Keys
Related Windows OSs Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.


ADS BY GOOGLE SPONSORED LINKS FEATURED LINKS

Critical Challenges of ESI & Email Retention
Are you storing too much electronic information? Get expert legal advice and better understanding of what you are required to do as an IT professional.

Become a fan of Windows IT Pro on Facebook!
Join us on Facebook and be a fan of Windows IT Pro!

Sustainable Compliance: Are You Having a Resource Crisis?
Read this white paper to examine trends in compliance and security management and review approaches to reducing the cost and operational burden of compliance.

Rev Up Your IT Know-How with Our Recharged Magazine!
The improved Windows IT Pro provides trusted IT content with an enhanced new look and functionality! Get comprehensive coverage of industry topics, expert advice, and real-world solutions—PLUS access to over 10,000 articles online. Order today!

Get It All with Windows IT Pro VIP
Stock your IT toolbox with every solution ever printed in Windows IT Pro and SQL Server Magazine plus bonus Web-exclusive content on hot topics. Subscribe to receive the VIP CD and a subscription to your choice of Windows IT Pro or SQL Server Magazine!



Order Your Fundamentals CD Today!
Gain an introduction to Exchange, learn server security requirements, and understand how unified communications can play a role in your messaging strategies with this free Exchange CD.
Windows IT Pro Home Register About Us Affiliates / Licensing Media Kit Contact Us/Customer Service  
SQL Connected Home IT Library SuperSite FAQ Wininfo News
Europe Edition Office & SharePoint Pro Windows Dev Pro Windows Excavator 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing