If your company ever experienced a formal audit, it is familiar with the management response document. If it hasn't, organizations prepare one in response to the findings of an assessor or auditor to provide additional context about the auditor's observations.
While usually associated with accounting audits, management response documents can be useful in IT scenarios as well. It's a good practice to conduct management responses after these scenarios, but many organizations do not or are not even aware they can.
Let's take a deeper look at what they are in an IT context and their benefits.
What is a management response?
A management response letter, sometimes called a management response report, is a standard, accepted and important part of the audit process. A generally accepted IT auditing standard is ISACA's IT Audit Framework. It outlines the management response process in reporting standard 2401.2.11. It reads:
Findings, conclusions and recommendations for corrective action should include management's response. For each management response, practitioners should obtain information on the proposed actions to implement or address reported recommendations and the planned implementation or action date.
A management response can agree with an auditor's findings, disagree with an auditor's conclusions or provide additional perspective and context for the organization, such as unidentified compensating controls and to-do tasks.
Why and when organizations release a management response
The purpose of a management response is threefold:
- It memorializes that a given observation has been received by the organization, and it records any key decisions, such as timelines, corrective action plans, etc., associated with it.
- It provides a mechanism for the audited organization to provide any input it may have, such as additional context and supporting or explanatory information.
- It can be used in situations where the organization disagrees with an observation -- either in substance or in interpretation, such as the risk associated with a given issue. To err is human, and while we all hope our auditors don't get something wrong, it's nice to know there's a way to go on record when they do.
As for when, organizations commonly use a management response after an internal (first-party) audit or an external (third-party) audit.
However, management responses can also be used in IT scenarios: for technical assessments, such as penetration tests; in review of a cloud application; for a vendor questionnaire; and more.
That said, it is unusual to see a management response to a cloud assessment, though they can be useful. For example, in an organization's review of cloud service providers -- or if you are a CSP responding to customer audits or assessments -- chances are good that you don't normally prepare a response. It's even less common in the case of a technical assessment, such as a pen test, architecture review or other technical review.
Not to say it never happens, but it is less common compared to larger, more structured audits. This is because the volume of assessments/audits can make it prohibitive to prepare a response to each one. This affects both the assessor's point of view when assessing its supply chain and those being assessed as they respond to assessment requests from a large portion of their customer base.
They are also less common because many service providers being assessed -- particularly with SaaS -- may be smaller or niche. They may not be used to dealing with larger, more formal audits. In addition, automation of assessment processes can make it nonintuitive when to provide a management response.
Advantages of providing an IT management response
There are advantages to preparing IT management responses to technical, cloud or other IT assessments or pen tests -- whether you are the assessor or being assessed.
Let's look at the example of vetting a CSP -- for example, a SaaS provider whose customers or potential customers routinely assess its security prior to engagement. What are the advantages in preparing a response?
First, it gives the CSP a chance to provide explanatory details, context or information the assessing organization -- the customer -- might not have collected. This can affect how that organization interprets its results, how risky it finds its engagement with the CSP and whether the CSP books the sale. If the CSP feels like something the customer observes isn't a risk, this is the CSP's opportunity to say so and explain why.
Second, a CSP may provide certain security controls via contractual terms and conditions related to security. If the assessment is that the CSP accomplishes the same intent and rigor of a requested control through alternative means, stating so in a management response makes the CSP's position more defensible because the CSP's position was articulated from day one.
Even when the CSP doesn't disagree with an observation, another third benefit a response provides is that it can be used to establish a timeline and internal accountability for change. If an assessor highlights an issue and the CSP agrees to take action in response, memorializing that decision and documenting the actions planned and the timeline help the CSP establish a record that can help it track that these things occurred.
Likewise, it provides the impetus internally to make those things happen. When it comes to following through on the commitments made, these can be invaluable tools.
Why perform a management response as the organization doing the assessing? The same principle applies: Having a written record of the commitments made gives the customer leverage that it can use to make sure those things get done.
Whether a CSP or cloud customer, crafting a management response to audit or assess findings can be valuable. It may not be common for cloud assessments, but could improve how a company looks in the aftermath of the audit.