Here’s a couple tips for making your IT audits a bit easier in the new year.
First, for those systems that don’t record the creation or deletion date of user accounts (or folders, permissions, or whatever), get a list of all accounts from IT in January. Then when you do the audit later in the year, get a new list and compare it with the January list. The new and deleted accounts will jump out at you.
Sure, you can just compare the new list to the list you received during the previous year’s audit, but you have no way of determining which accounts were added or deleted in the calendar year, only those since the last audit. If the last audit was March, your auditees could claim all the findings occurred during the previous year.
One item I find most helpful is to gather a list of servers and databases that exist at the beginning of the year. I return to that list during almost every audit.
I’d suggest you prepare a spreadsheet that describes the following for each download:
- Name of audit and test/work paper to which the data applies
- System from which the data was downloaded
- When the data was downloaded and which auditor was involved (for any follow-up questions that occur later)
- Where and how the data was downloaded (URL or server from which the data was extracted, and any queries or special steps used, formatting required)
- Name of the person who assisted or provided the data (like the IT guy)
- Name of the file that was downloaded and the path to where it was saved
If you document all this data, it’s easy to note the details in your work paper when the time comes. It becomes part of your population validation (when, where, how, and from whom did you get the data, and how do you know it’s the right data).
Second, if you don’t do so already, start a list of things you find that don’t pertain to the current audit, but should probably be addressed in another audit. For example, during a SOX audit, you find an issue on a non-SOX server that could be a major issue. Jot the details down on a spreadsheet and come back to it later.
The other thing I use this list for is for accounts or servers that I know had issues and would be good samples to check later. This could also pertain to risks that others have told you about, but you haven’t verified. Also, sometimes you discover things about a certain system long after the audit is completed, and you don’t want to forget it next year. Or you just want to note a lot of turnover in a certain department that could affect an audit.
Third, centralize your downloads and notes so that no matter who does the audit, the info is available to all appropriate auditors. To most, this is a no-brainer, but even well-established departments usually have a couple lists or caches of data that are stored here, there, and everywhere.
Fourth, make sure all your audit work papers and related documentation for each audit are searchable. If you have a modern audit system in which you store all your work papers, attachments, and risk rank documents, this is searchable by default. However, I have worked in several Fortune 500 (and bigger!) companies whose audit systems either are not up-to-date with the latest features or don’t have a good search function.
If your system doesn’t have a good search function, you are not only reinventing the wheel during each audit (especially during risk ranking of issues), you can’t get a good grasp of all findings across a system, department, or the company as a whole (not every risk makes the aggregated listing!). You might consider creating a manual store* of all your audit work papers on a central server directory that is restricted to auditors only; it sure comes in handy when you’re trying to remember which audit you tackled that prickly situation before .
* If you do it manually, I’d suggest printing your work papers to searchable PDFs. You could use the free CutePDF application that allows you to print PDFs of just about anything; the license is free for personal AND commercial use (but get IT’s approval). No embedded attachments will be available in the PDFs of course, but if you need the attachments, go back to the original work paper to retrieve them. Even when you have to do that, you’ve overcome the biggest issue: finding the right work paper in the first place.
Also, make sure your audit policies are OK with having an extra copy of the work papers elsewhere. Sometimes this can get you into legal trouble, so check with your department head and maybe Legal.
Go ahead and roll your eyes at these suggestions, and bless you if your department has all this covered. But as a contractor who works in the audit departments of many BIG companies, I can’t tell you how many times I’ve shook my head at the audit environment that I’ve had to work in. NOT ONCE have I ever worked in an audit system that was on the latest release (or even 2 releases before that!).
Of course, the right answer is to ensure that you have an audit system that provides all these functions by default. Someone ought to do an efficiency audit of audit departments and make them eat their own dog food.
I’d love to hear what your audit work paper system is like…leave me a comment.
ITauditSecurity 
You’ve got a academic way of writing which I don’t often run into. Just thought I’d let you know :D
LikeLike
CS,
Is that a compliment? Or are you saying I remind you of an old, cranky professor? Since you ended with a smiley, I’ll assume it’s a genuine compliment. Thanks… I think.
LikeLike
Re keeping a list of things to follow-up, I include a row in my audit checklists for stuff that doesn’t fit the current audit scope, or that smelt fishy (but I wasn’t able to locate the corpse!), or that might be worth poking at the next time I do a similar audit, or that someone has ‘assured’ me is OK (but I’m too cynical to accept), or whatever. It’s not a separate list, but is searchable. Looking over relevant previous audit findings and working papers is a routine part of starting an new audit, so it’s a good way to prompt my failing memory.
Another tip is to develop templates for all the documents you normally use, making it quicker and easier to start a new assignment. This is an excellent way to make the whole department’s output more consistent and polished too, provided everyone knows how to use the templates and understands the value of not meddling with settings such as the styles, fonts, font sizes etc. (they should all be change-controlled, with a process to review proposed changes and make them properly, if agreed).
LikeLike
Thanks for your tips, Gary.
The dept I’m currently in keeps an audit universe list and adds any followup items or things to check under the appropriate audit. If it doesn’t fit anywhere, we make a new category.
LikeLike