Nobody likes an audit. Even in the best of outcomes, audits take up valuable time that can be used to improve services and grow the bottom line. But a failed IT audit can ruin your week faster than a denial of service attack. Worse, a negative IT audit can feel like a report card on your management ability — and future.
But it doesn’t have to be that way. The next time an internal or external audit group comes sniffing into your IT infrastructure, policies and operations, it can go well — even provide proof of your performance — as long as you’re prepared.
And the first step is to avoid the following all-too-common IT audit mistakes. Heed these warnings and you should be able to avert an IT audit disaster.
Your know less about your tech assets than your auditor does
The best defense against negative IT audit results is to know your technology environment inside out. Few people expect an IT leader to personally know each asset, so you have to rely on the process, technology, and people.
“Many organizations I see in Canada still struggle to identify all their technology assets,” says Felix Acosta, manager of CIO advisory at KPMG, a consulting firm. “There is a particular challenge in organizations with older equipment such as an unlabelled server sitting in a room,” he adds.
In many companies, the quality of your IT inventory information is the greater challenge.
“I have seen cases where the organization has spreadsheets and notes in various places about their technology assets. However, those tracking processes are typically updated manually. Scrambling to update these tracking documents right before an audit is a common practice,” Acosta says.
“If you do not know what your technology assets are, you are likely to have problems with audits,” Acosta explains. After all, if you do not know your assets, how can you enforce controls and document that action? There are a variety of software products on the market that can help with hardware and software asset management. However, these systems may not be comprehensive. For instance, telling an auditor that you do not track cloud assets will not put you in a good light.
You rely on manual processes to address auditor requests
Configuring servers, tools and other technology assets to meet deadlines and fulfill compliance requirements is difficult. And if you aren’t using automation tools to help you, you’re setting yourself up to fail.
Here, John Ray, senior consultant at Shadow-Soft, an open source integrator, recommends an auditing and testing framework.
“I have used Chef Inspec to create easy-to-read reports for auditors. It takes some customization to achieve results, but it has worked out well,” Ray says. “Rather than using spreadsheets and manual tracking to meet compliance needs, it is much better to use automation tools like Inspec.”
Sign up for CIO Asia eNewsletters.