Wednesday, April 15, 2009

IT Audits - Don’t Be Afraid

In this economy there will be more emphasis placed on audits. If you are working for a financial firm then you probably have an internal audit group. You are also audit by an external audit firm, maybe the Fed, and if you are an international firm-foreign regulatory agencies. In some firms, this leads to an environment of constant audits.

If you are a large IT shop then it makes sense to form an audit team comprised of your various department heads to work with and answer questions from the auditors. Keep it small. It is important to speak with one voice. This team should consist of one or two business leaders. During an audit, there will be times when some type of risk will be discovered that will lead to process or management change that has the potential to affect business operations.

If you are a smaller shop, then this process will fall upon the senior IT person. Again, some representation from the business should be included.

It is important for IT to document everything: every process, every procedure, and every diagram. If you have not already done so, do it now. If is just good due diligence. Auditors love documentation. The more you give the more they love it. It also keeps them occupied. Most audits only last for a specific period of time. How can anyone come and look at every aspect of your network? And discover everything. If you are a good administrator then you know were your risks are and you have taken steps to mitigate or removed them from your environment. In these environments, auditors will find very little if anything. And when they do it will be minor and easily correctable.

No comments:

Post a Comment