Blogs are clamoring for proof that Osama Bin Laden is dead–show us the photos! However, I do not think Osama death photos are needed, at least not to prove he’s dead. I also think that keeping this event in mind can help move your audits along. Let me explain.
Some say you have to believe Osama is dead because it would be hard to believe that Navy Seals would go along with such a fiction if he weren’t dead. Others say the political price of being found out perpetuating such a hoax would simply be too high.
For me, the best proof has to do with what hasn’t happened: Osama hasn’t shown himself. The easiest way to show that the Obama administration is lying is for Osama to demonstrate it himself. So how does that relate to your audits? Let me provide some background first.
I sure hope during the scope of your audit that you publish periodic status reports of your progress and any observations you’ve found. I recommend you have some kind of a disclaimer stating that observations are findings that may be changed after more evidence is available. I’d also reinforce this in your opening meeting and when you discuss a finding with your auditees prior to publishing it in your status report.
Sometimes, it can be hard for auditees to produce the evidence you need, especially in a timely manner (in 2 companies I’ve worked in, this was 2 days after the request). For example, let’s say I’m seeking evidence that IT reviewed, tested, and deployed a critical patch within X days of vendor release. Most of IT teams I’ve audited don’t document their progress very well as they execute their procedures, even though the procedure stipulates specific time frames for completing each step.
So after 2 days, even though I’m told they followed the procedure and are still looking for the evidence, I write up an observation stating that no evidence was provided. This accomplishes one of the following: 1) IT stops “looking for evidence” since everyone knows they don’t have it, because once a finding is published, the game of IT stalling the auditor is over, or 2) IT suddenly produces the evidence because the heat is on now that the manager (and usually directors and VPs) are on the hook for the finding, now that it has been published.
Just like Osama can easily show Obama is wrong by producing himself, IT can invalidate a finding by producing the evidence. Either way, once Audit does its due diligence and publishes a finding, regardless of IT’s response, Audit (and the company) wins.