In theory, IT auditors and IT professionals want the same thing: a secure, well-designed and efficient IT environment that -- ultimately -- helps the business better serve all of its customers.
In spite of this, and throughout my career as an IT auditor, I've come to realize that many IT professionals secretly view IT auditors as their nemesis.
There are two main reasons for this:
- A lack of understanding about what IT auditors do and don't do.
- The fact that, like mechanics and doctors, there are good auditors and bad auditors.
To attack the first problem, let's define an auditor's job.
In the simplest terms, IT auditors provide executive management with our independent assessment of the effectiveness of controls put into place to protect information, hard assets and people from potential damage. We help determine what areas of IT might need attention to reduce risk to levels that management finds acceptable. We don't, however, recommend how to fix any flaws we discover. This allows us to remain independent, in the event we're called upon to audit the same group later.
Once we receive an assignment, we research the area in question by collecting policy documents, process flow diagrams, relevant vendor documentation and internal procedure manuals. (If some of these things are missing, we may already have something to put in our report!) Most importantly, we interview those who use and manage the systems and data in the scope of the audit.
Using this information, we assess the controls in place -- hardware and software configurations, policies and dissemination thereof, monitoring of users, etc. We assess potential threats as well, such as those that might result from accidents or willful misconduct. We also look for any areas where we can recommend efficiencies in the way IT is working to help the business. Finally, we review findings with you and deliver a report to management.
At least, that's how good auditors conduct audits. Unfortunately, they aren't the only type out there.
Another type is eager to catch you doing something wrong. "Gotcha" auditors may report on issues that don't represent unacceptable risks, wasting everyone's time. They may be confrontational. They won't give the impression that you're all working toward a common goal.
The best way to work with this type of auditor is to demonstrate a clear understanding of the kinds of cost/benefit decisions your department has made in designing and implementing IT controls. Provide evidence showing that the business made a conscious decision for IT to operate in the very way that the auditor is questioning. That will block their efforts.
There are also auditors who aren't knowledgeable enough to adequately understand the technical nature of control mechanisms and related vulnerabilities. I'll call this type "guessers." Because they don't want you to know how much they don't know, they may not ask enough questions. In the end, they may communicate control issues to management when there aren't control issues at all, again wasting everyone's time.
Be patient with this type of auditor and, if you can, ask audit management to provide technical training prior to your area's spot on the audit calendar.
While you can't choose the type of auditor assigned to you, understanding his objective, process and professional style should get your relationship off to a decent start. Just be open, and remember that you have a common goal: providing the right amount of protection for your company's assets in the most efficient manner possible.