10 ways to prep for auditors

By Charlie Russo, News Writer 29 Jun 2005 | SearchCIO.com

Digg This!     StumbleUpon     Del.icio.us

If you're like plenty of CIOs, compliance requirements have impacted your entire organization -- and your auditors have made surprising requests that cost you more than you anticipated.

With one year of Sarbanes-Oxley experience under their belts, IT executives have learned valuable lesssons in preparing for audits, such as establishing comparative metrics before the auditors arrive.

One tip sheet for "increasing your audibility" is available in The Visible Ops Handbook, distributed by the Information Technology Process Institute.

To date, 17,000 copies of the $19.95 handbook have been sold, according to Kevin Behr, president and founder of the Information Technology Process Institute, a not-for-profit group focused on researching, benchmarking and developing best practices for IT executives. Here is a portion of one of its popular cheat sheets, excerpted from the handbook.

1. Ask the auditors what they are looking for before an audit. Ask them for their audit objectives, if any pre-audit checklists.
2. Make sure to list your perceived risks. Sort them in descending order with the highest risks at the top, along with the controls you created to mitigate them.
3. Document your preventative controls, and have detective controls in place to show they work. Document the change management process. For each authorized change, document the configuration changes from the detective controls to show that the changes made were within the scope of the work order. File the data collected about change requests and make it readily accessible. In some organizations, all of the above information lives in a physical three-ring binder.
4. Use Change Advisory Board meeting minutes to show that meetings are being attended and used to manage change.
5. Keep a current and accurate asset inventory of hardware and software.
6. Document all internal audit procedures. For example, if your policies state that firewall logs are monitored by a system with exceptions reviewed, then you must have proof of following that policy through logs of one form or another.
7. Document all outages and unscheduled downtime in the systems along with corrective actions taken.
8. Keep current documentation of all exceptions to policies.
9. List any security incidents along with corrective actions taken.
10. Be able to produce previous audit findings, analysis of the findings and progress made against findings that warranted corrective action.

"More control doesn't equal more bureaucracy equals more work," Behr said. "It turns out, those with control can do more with less and do it more quickly and with better quality."

Tags: Compliance strategies and best practices,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Compliance strategies and best practices Enterprise risk management solutions for CIOs Addressing compliance requirements in cloud computing contracts Avoiding gotchas of security tools and global data privacy laws Information security and IT governance guides for CIOs CIO turns to identity and access management to solve business problem Log management tool, SIM boxes combine to form security architecture Economic downturn hits IT budgets Tips on how to dodge the scariest of IT worst-case scenarios Health care CIO tackles complex security, privacy mandates PCI DSS compliance requirement looms but lacks punch, critics charge

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary GRC (governance, risk management and compliance) software  (SearchCIO.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary