|
To make sure an audit does what it's intended to do -- reduce risk to acceptable levels -- everyone involved must use the same words in the same way. You'd be amazed by how often that's not the case with words as seemingly basic as policy, standards and controls. That confusion results in a lot of head-scratching and wasted effort.
Here's my list of some of the most misinterpreted words, along with explanations of what IT auditors mean when we say them.
Policy. It may seem obvious, but the important thing to remember about a policy is that it describes what must be done. A policy isn't optional, so you must retain documentation that shows you are in compliance with it. I can't tell you how many times I've asked for policies and received everything from recommendations to standards. When auditors ask for your policies, they're looking for how you define those inflexible parameters within which everyone must operate. For example, one policy might stipulate that all systems data be classified according to sensitivity. Then, to show your auditor that you are in compliance with this policy, you must show consistent, up-to-date records of all systems and their data classifications.
Standards. First, clarify whether your auditor is interested in "recommended" standards or "required" standards. If you don't, you could end up with an audit finding (which is kind of like a speeding ticket) even if your operations are up to snuff.
Let's say you identify as a standard keeping your servers up to the latest patch level. If this is actually just your recommended standard -- that is, your ideal -- but your auditor thinks it's your required standard, get ready for some headaches. Your auditor will probably scan all your servers and cite all the cases where your servers aren't up to the latest patch level. Then, if this information makes its way into the audit report, you could find yourself spending a lot of money implementing new tools and procedures to expedite the patch update process. Is that really where you want to spend your money? The message: Be specific from the beginning.
Controls. This word is central to the auditor's life, so it's essential that you both understand and use it in the same way. Controls are restraining devices, whether in the form of a system setting/configuration or a procedure. They help reduce the chances of bad things happening by restraining undesirable forces or events. Auditors spend their lives assessing the effectiveness of controls. So if your auditor asks about the controls built into a process, he or she is asking you to describe (or provide documents describing) what you and your department do to prevent certain bad things from happening.
How can you ensure that you and your auditor are on the same page? Keep definitions for all these words — and others used frequently during the course of audits -- by your desk and refer to them frequently. Make sure both of you understand and use these words the same way in your unique business context. Being diligent and consistent in usage can keep you from fixing things unnecessarily and can move the audit process along more quickly.
|
