An IT Manager's Guide to a Successful Audit [ PART 1 of 5 ]
Introduction to IT Audits
The IT audit process is one of the most misunderstood and loathed processes in the IT world. A lot of this comes from the fact that the process is not embraced by IT management as an opportunity for a partnership. Once managers realize they can utilize the audit process to highlight some of their own business concerns and objectives, the IT audit process becomes less adversarial and more about building relationships.
This blog series will provide an overview of the audit process and how IT management can insert themselves into this process to benefit from the exercise. It’s important to remember your attitude will set the tone for the engagement. You will get out of the process as much as you choose to put into it. This is a great opportunity to partner with someone who has an objective view of your organization and who in most cases will not be a “yes-person” because they are not trying to sell you products or services as they assess your organization.
IT’s Involvement within an Organization
Information Technology departments are typically involved in almost every aspect of a business today. This is great in some respects and not so great in others. IT managers are finding it easier to transition into corporate leadership positions because their IT work exposes them to multiple areas of the company; where some of their business unit (BU) peers only get to see the line of business they work with, i.e. Sales, HR, Finance, Operations, Marketing, etc. This also means that whenever a business unit is audited, IT will be involved to some degree. Even if the audit focus is only on the BU process, the BU probably uses technology at some point in that process. Finance uses an electronic accounting system to store POs, Accounts Receivable/Payable, Payroll, etc. The auditors will want to know how access to each of these components is restricted, how often access rights are reviewed, etc. Even though IT isn’t the focus of the audit, they are still involved in the audit. It’s important for IT managers to have a seat at the table during the audit scoping phase, which we’ll talk about later.
When IT systems and processes are the focus of the audit, the roles and responsibilities are much easier to ascertain. The auditors are looking at your standard operating procedures. How do you limit access to systems? Is there segregation of duties? How is change management handled? An audit requires that process be documented. Two questions typically arise during an audit. First, how well is the process followed? Second, is the work documented and available to use as evidence that the process was followed?
Common Audit Types
There are various reasons that an audit engagement could occur, but we will focus on three main areas: Compliance, System Discrepancy and Process Assessment. These are the audits in which IT would most frequently be engaged. While the phases and objectives of an audit remain the same in general terms, it is important to understand how the audit’s focus may change the scope, groups impacted, timelines or other specific details for each audit.
Compliance audits may be one of the easiest to work through. Typically, these audits have clearly defined objectives and criteria for achieving a satisfactory rating. The subjective nature of the audit process is limited by the specifics laid out in the regulations. Compliance audits can be broken down into two categories: regulatory and industry. Regulatory audits are the result of legislation being passed and may carry civil and/or criminal penalties for non-compliance. Industry audits, however, are based on standards of one’s industry. The biggest risk to your organization is that it may lose the ability to be considered certified or to offer a specific product or service, but nobody will rot in federal prison for non-compliance.
Some regulations such as HIPAA are more ambiguous in their requirements and have greater room for interpretation than say the Federal Information Systems Management Act (FISMA). FISMA uses the very literal National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 as its guidelines. It’s important to note that except for FISMA, most of the regulations you may encounter are designed to regulate a business practice. The sections that address data security and privacy are only components to the overarching legislative functions.
Most Common Regulatory Compliance Audits
In 2005, Section 404 of the Sarbanes Oxley Act (SOX) pretty much turned the business world on its edge. All publicly traded companies had to add a section to their annual SEC filing stating that the company’s executive management personally attest to the financial statements being filed. This also included an attestation that there be a framework in place to manage controls over financial systems, and that the controls were tested and are deemed effective. The fire drills have subsided, however there is now a focused effort on yearly testing for SOX 404 Compliance.
The beginnings of HIPAA focused on the ability of health care payers (insurance companies, Medicare/Medicaid) and payees (hospitals, school systems, physicians) being able to share information electronically. Until then there was no standard code for a specific diagnosis, method of care, prescription, etc. Once people started thinking about sharing such sensitive data more easily, an emphasis on information security and privacy was added. Most HIPAA audits are internal and focus on how well you meet the compliance objectives. External audits have become more prevalent as enforcement measures were enacted in 2008. In 2009, additional security and enforcement actions were signed into law under the HITECH Act.
FISMA standards are the bane of existence for any IT manager supporting the federal government. The NIST SP800-53 standard is one of the most detailed and stringent standards available. A huge benefit, however, is that SP800-53A Guide for Assessing the Security Controls in Federal Information Systems has been published as well. This is the guide for auditing systems against FISMA. It’s like having the answers to the exams at the beginning of the course.
Compliance to industry imposed regulations isn’t a new concept. Industry groups have long offered certification for suppliers of goods or services that meet a certain standard. The Payment Card Industry (PCI) Data Security Standard (DSS) is now one of the most prevalent set of requirements IT systems are audited against.
System Discrepancy Audits
System discrepancy audits are sometimes the hardest because they arise out of the fact that things simply don’t add up. If the mismatch isn’t easily detected, a discrepancy audit is called for. Herein lies the problem. Where do you start? Is the problem in the application? Is it the database? Is it in the data collection tool? Was it simply human error? Could all of the data be collected and stored properly but the reporting system be the culprit? Who knows? Hopefully your systems administrators and business analysts can review the details and provide some intelligent hypothesis on where to begin. That’s all it is though…an educated guess. Until you start testing controls and components, you don’t know where you stand. You just hope to catch that loose string that allows you to unravel the tangled mess.
Discrepancy audits usually yield one of two results. The first is that a control was weak and allowed someone to exploit the system, either intentionally or unintentionally. This one is a little easier for executives to understand and deal with. You shore up the process or control to prevent a repeat and move on. The second result is that all controls appear to be effective and working properly, however, the discrepancy still occurred. Wow…what do we do now? This is probably going to point to an inside attack from someone with authorized access. Hang on because the ride has just begun at that point.
Process audits are usually very straight forward. You have a body of standards such as NIST, ISO or your own information security policy that your organization has agreed to adopt and utilize to manage your information security and privacy. On a regular interval, you will need to show evidence that the organization utilizes processes and procedures that are in alignment with this body of standards. If the process audit is in relation to a body of standards there are two phases. The first is to map your process or procedures to the standard controls. The second is to the test the control for efficiency, or how well it works.
If this is simply a process audit there is no need to map these back to any external criteria. The audit will simply be a review of the current effectiveness and efficiency of the control.
Four Reasons to Not Combine Your Audits
Sometimes internal auditors will try to combine audits because they think it will save them time in the fieldwork and reporting process. Auditors are no different than any other profession; everyone looks for efficiencies. However, that approach isn’t advised in this instance for several reasons. First this creates confusion when trying to identify the objectives and outcome for the audit. Without a specific focus, the audit engagement continues to grow in size, time needed to complete, and resources impacted. The larger your audit, the greater the chance the outcomes will not be meaningful.
Second, sometimes inexperienced auditors don’t see how the specific audit relates to your business model. Testing scenarios for compliance may look very different than those for a process improvement. Testing scenarios should be carefully chosen to reflect the focus of the audit. When you combine audits you typically must choose multiple testing scenarios, so you lose the very efficiency you were trying to gain.
Third, reporting becomes a mess when you try to combine the various opinion letters and recommendations. You may have trouble mapping these to regulatory requirements or to remediation plans.
And lastly, you need a “W” in the win column. If all your audits are combined into one big engagement chances are there’s going to be something that you need to improve on. This could cause you a less than satisfactory rating. If this is your only audit for the year, executives will only see your 0-1 record and may begin to judge your competency. If, however, you break things down into smaller chunks you may end up with a 3-1 record, which is a much better reflection of your execution of business objectives.
This white paper provides an overview of the audit process and how IT management can insert themselves into this process to benefit from the exercise.