In this excerpt from Chapter 2, Audit and Review: Its Role in Information Technology, from Information Technology...
Control and Audit, Second Edition, author Frederick Gallegos offers IT managers checklists to assist in the preparation of an IT audit.
"If you build it, they will come" has been a familiar phrase used in reference to the coming of the auditor. An IT manager has a right to receive a quality audit. However, managers can do much to ensure that they receive such a review by asking such questions and making such preparations as given below.
- Who are members of the audit team, and what are their roles and assignments?
- What are the credentials and experience of the assigned audit team?
- What orientation or training can you provide them to be comfortable within the environment?
- Communicate with your managers and staff in the areas to be audited.
- If an area was audited before, review the prior report to see the issues raised and recommended made. Get an update of corrections or changes made as a result of prior audit work and give your staff and the audit department credit.
- Purpose of the audit?
- Scope and objectives?
- Who are the audit staff assigned? (Ask to be notified if any staff are changed.)
- Timeframe for work to be performed?
- Use of computer time/access to system/logs/training needed.
- Access to IT management and staff?
- Communicate (1) and (2) to all IT staff affected.
- Set weekly or biweekly meetings with audit manager/audit team to discuss audit progress and issues.
- Before the audit is finished, request close-out conference from audit group.
- Request a copy of audit report.
- When the audit report is issued, pull your team together and discuss the report; if you follow the steps above there should be no surprises. If there are, there was a communication breakdown somewhere.
- If you disagree with the report or portions of the report, do so in writing with supporting evidence. Remember, the auditor has supporting evidence for their reports, and this exists in their working papers. For those areas you agree, indicate what corrective actions your team plans to take.
- Have your team provide a status report to you on a 3- to 6-month cycle with a copy to go to Internal Audit. This shows you value their work.
Dig Deeper on IT Security Audits