Archive for the ‘Auditors’ Category

One of the most frustrating things about working on audits is when a company is doing all the right things (processes, procedures) – but there’s no documentation to back that up. For many auditors, lack of documentation is a material weakness; not having the written documentation is tantamount to not having the correct processes or technical controls.

Ed takes on this subject in his latest TechNews article:

Organizations that do all the right things in terms of IT security and compliance can still suffer greatly when it comes time for an audit simply because they didn’t document the processes and controls they’ve implemented. From a purely compliance point of view, it’s worse to have a functional control that’s undocumented than it is to not have the control at all.

Since Ed is an auditor, I thought it might be interesting to do a piece on how security and IT folks can improve their relationships with internal and external audit teams.

For some IT professionals, the mere mention of an audit conjures painful images of being trussed and stuffed like a Thanksgiving turkey. If you’ve ever been through an audit that you weren’t prepared for, you may harbor your own unpleasant images of an audit process gone wrong. As recently as 10-15 years ago, many auditors were just learning their way around the “new world” of IT, while just as many computer and network professionals were beginning to learn their way around the audit world.

If you’re interested in the rest of the article please check it out in the Prism MicroSystems November Newsletter.