For many IT practitioners, the entire audit function may be one of the most mysterious and misunderstood roles encountered, especially when the business unit is operating in a regulated environment such as financial services, healthcare or pharmaceuticals.

All too often, auditing is viewed as a necessary evil, and therefore is characterized by a confrontational working relationship. Since 2000, we have been studying high-performing IT organizations, and we found that these organizations have a very different working relationship with audit; first, they spent much less time preparing for audits, had significantly fewer audit findings, and consequently, were spending a significantly less time on audit-related activities.

In the high-performing organizations, there is a mutual respect between the IT teams and the audit teams they work with, which includes the internal and external auditors. In fact, in these high-performers, the IT teams even viewed auditors as additional resources to ensure that appropriate controls are in place and effective.

Typically, poor working relationships with auditors and painful audit findings are due to the absence of effective processes and controls. Just as the manufacturing world realized the need for repeatable processes and quality controls, IT is tasked with ensuring that processes are documented and controls are effective.

When these processes are well documented and documentation exists that can demonstrate the controls are working, audits usually go much more smoothly, because auditors have a readily identifiable desired state to audit against. When processes are not documented, auditors must grade against their own processes.

Worse, when controls do not exist to demonstrate that processes are being followed, auditors must go into "archaeology" mode to determine for themselves if the systems meet documented control objectives. For example, if you claim to have change management meetings but do not have any formally recorded meeting notes, how can auditors verify that the meetings actually happened? The level of documentation must be commensurate with the risks associated with the changes.

A substantial rewrite of the Enterprise Resource Planning (ERP) system is a matter with significant risk, requiring additional processes and proof that those processes are effective. Resist the urge to document everything and instead focus efforts on creating evidence that the right processes are in place and are being followed.

To explain this further, we will examine the way auditors view the world, which is through three broad categories of controls.

Controls 101
Auditors often view the world through the lens of risks and controls. Risks exist, and you can mitigate them by either preventing or detecting them, and you should always be able to make corrections and recover should the risks actually happen. To explain this better, here are the three categories:

• Preventive - controls that keep something from happening. For example, policy, separation of duty, and authorization processes are all preventive controls.
• Detective - analytical controls that monitor activity and processes to determine if the preventive controls have failed or if something is out of compliance. For example, change monitoring and verification are detective controls.
• Corrective - corrective controls restore the situation back to the expected state. For example, if a system crashes due to a failed change, reloading all applications from the last known good image to bring the system back online serves as a corrective control.

These days, many audit concerns are driven by regulatory compliance needs that are required by the industry or that assure the integrity of financial reporting. At one time, auditors and bean counters checked to see if the financial statements were correct by opening up all of the warehouses and counting all the "beans." In this way, they could verify that the financial statements matched what they physically observed.

However, even the best auditors have finite time and resources. Instead of going into the warehouse and counting beans, they go to the bean counting machine and check the controls to determine whether the machine can be trusted. In most cases it is best to have a combination of preventive and detective controls. If neither exists, or if they are inadequate, the auditors cannot trust the results of the bean counting machine.

This is a very bad thing, because it erodes their ability to rely on anything the bean counting machine did, and requires opening up the warehouses, and, guess what, counting the beans. In other words, without assurance that proper controls exist, far more scrutiny is required, thus incurring substantial costs.

To create a more productive working relationship with auditors, IT must be able to clearly describe its preventive processes and the detective controls that prove they work as expected.

A main premise of this book is that controls serve an important purpose to ensure that our processes achieve the desired business objectives and that controls are not in place simply to generate positive audit findings or to comply with regulations. After all, a customer would not feel safe if the restaurant only complied with health codes just to keep the inspectors at bay. They would be happier if the restaurant handled food with care to keep customers healthy, happy and improve their overall dining experience.

IT is no different. An organization that uses effective controls to improve their processes typically has far better availability, lower amounts of unplanned work, better security, and incidentally, smoother audits .

By Kevin Behr, Gene Kim and George Spafford

For many IT practitioners, the entire audit function may be one of the most mysterious and misunderstood roles encountered, especially when the business unit is operating in a regulated environment such as financial services, healthcare or pharmaceuticals.

All too often, auditing is viewed as a necessary evil, and therefore is characterized by a confrontational working relationship. Since 2000, we have been studying high-performing IT organizations, and we found that these organizations have a very different working relationship with audit; first, they spent much less time preparing for audits, had significantly fewer audit findings, and consequently, were spending a significantly less time on audit-related activities.

In the high-performing organizations, there is a mutual respect between the IT teams and the audit teams they work with, which includes the internal and external auditors. In fact, in these high-performers, the IT teams even viewed auditors as additional resources to ensure that appropriate controls are in place and effective.

Typically, poor working relationships with auditors and painful audit findings are due to the absence of effective processes and controls. Just as the manufacturing world realized the need for repeatable processes and quality controls, IT is tasked with ensuring that processes are documented and controls are effective.

When these processes are well documented and documentation exists that can demonstrate the controls are working, audits usually go much more smoothly, because auditors have a readily identifiable desired state to audit against. When processes are not documented, auditors must grade against their own processes.

Worse, when controls do not exist to demonstrate that processes are being followed, auditors must go into "archaeology" mode to determine for themselves if the systems meet documented control objectives. For example, if you claim to have change management meetings but do not have any formally recorded meeting notes, how can auditors verify that the meetings actually happened? The level of documentation must be commensurate with the risks associated with the changes.

A substantial rewrite of the Enterprise Resource Planning (ERP) system is a matter with significant risk, requiring additional processes and proof that those processes are effective. Resist the urge to document everything and instead focus efforts on creating evidence that the right processes are in place and are being followed.

To explain this further, we will examine the way auditors view the world, which is through three broad categories of controls.

Controls 101
Auditors often view the world through the lens of risks and controls. Risks exist, and you can mitigate them by either preventing or detecting them, and you should always be able to make corrections and recover should the risks actually happen. To explain this better, here are the three categories:

• Preventive - controls that keep something from happening. For example, policy, separation of duty, and authorization processes are all preventive controls.
• Detective - analytical controls that monitor activity and processes to determine if the preventive controls have failed or if something is out of compliance. For example, change monitoring and verification are detective controls.
• Corrective - corrective controls restore the situation back to the expected state. For example, if a system crashes due to a failed change, reloading all applications from the last known good image to bring the system back online serves as a corrective control.

These days, many audit concerns are driven by regulatory compliance needs that are required by the industry or that assure the integrity of financial reporting. At one time, auditors and bean counters checked to see if the financial statements were correct by opening up all of the warehouses and counting all the "beans." In this way, they could verify that the financial statements matched what they physically observed.

However, even the best auditors have finite time and resources. Instead of going into the warehouse and counting beans, they go to the bean counting machine and check the controls to determine whether the machine can be trusted. In most cases it is best to have a combination of preventive and detective controls. If neither exists, or if they are inadequate, the auditors cannot trust the results of the bean counting machine.

This is a very bad thing, because it erodes their ability to rely on anything the bean counting machine did, and requires opening up the warehouses, and, guess what, counting the beans. In other words, without assurance that proper controls exist, far more scrutiny is required, thus incurring substantial costs.

To create a more productive working relationship with auditors, IT must be able to clearly describe its preventive processes and the detective controls that prove they work as expected.

A main premise of this book is that controls serve an important purpose to ensure that our processes achieve the desired business objectives and that controls are not in place simply to generate positive audit findings or to comply with regulations. After all, a customer would not feel safe if the restaurant only complied with health codes just to keep the inspectors at bay. They would be happier if the restaurant handled food with care to keep customers healthy, happy and improve their overall dining experience.

IT is no different. An organization that uses effective controls to improve their processes typically has far better availability, lower amounts of unplanned work, better security, and incidentally, smoother audits .

By Kevin Behr, Gene Kim and George Spafford

For many IT practitioners, the entire audit function may be one of the most mysterious and misunderstood roles encountered, especially when the business unit is operating in a regulated environment such as financial services, healthcare or pharmaceuticals.

All too often, auditing is viewed as a necessary evil, and therefore is characterized by a confrontational working relationship. Since 2000, we have been studying high-performing IT organizations, and we found that these organizations have a very different working relationship with audit; first, they spent much less time preparing for audits, had significantly fewer audit findings, and consequently, were spending a significantly less time on audit-related activities.

In the high-performing organizations, there is a mutual respect between the IT teams and the audit teams they work with, which includes the internal and external auditors. In fact, in these high-performers, the IT teams even viewed auditors as additional resources to ensure that appropriate controls are in place and effective.

Typically, poor working relationships with auditors and painful audit findings are due to the absence of effective processes and controls. Just as the manufacturing world realized the need for repeatable processes and quality controls, IT is tasked with ensuring that processes are documented and controls are effective.

When these processes are well documented and documentation exists that can demonstrate the controls are working, audits usually go much more smoothly, because auditors have a readily identifiable desired state to audit against. When processes are not documented, auditors must grade against their own processes.

Worse, when controls do not exist to demonstrate that processes are being followed, auditors must go into "archaeology" mode to determine for themselves if the systems meet documented control objectives. For example, if you claim to have change management meetings but do not have any formally recorded meeting notes, how can auditors verify that the meetings actually happened? The level of documentation must be commensurate with the risks associated with the changes.

A substantial rewrite of the Enterprise Resource Planning (ERP) system is a matter with significant risk, requiring additional processes and proof that those processes are effective. Resist the urge to document everything and instead focus efforts on creating evidence that the right processes are in place and are being followed.

To explain this further, we will examine the way auditors view the world, which is through three broad categories of controls.

Controls 101
Auditors often view the world through the lens of risks and controls. Risks exist, and you can mitigate them by either preventing or detecting them, and you should always be able to make corrections and recover should the risks actually happen. To explain this better, here are the three categories:

• Preventive - controls that keep something from happening. For example, policy, separation of duty, and authorization processes are all preventive controls.
• Detective - analytical controls that monitor activity and processes to determine if the preventive controls have failed or if something is out of compliance. For example, change monitoring and verification are detective controls.
• Corrective - corrective controls restore the situation back to the expected state. For example, if a system crashes due to a failed change, reloading all applications from the last known good image to bring the system back online serves as a corrective control.

These days, many audit concerns are driven by regulatory compliance needs that are required by the industry or that assure the integrity of financial reporting. At one time, auditors and bean counters checked to see if the financial statements were correct by opening up all of the warehouses and counting all the "beans." In this way, they could verify that the financial statements matched what they physically observed.

However, even the best auditors have finite time and resources. Instead of going into the warehouse and counting beans, they go to the bean counting machine and check the controls to determine whether the machine can be trusted. In most cases it is best to have a combination of preventive and detective controls. If neither exists, or if they are inadequate, the auditors cannot trust the results of the bean counting machine.

This is a very bad thing, because it erodes their ability to rely on anything the bean counting machine did, and requires opening up the warehouses, and, guess what, counting the beans. In other words, without assurance that proper controls exist, far more scrutiny is required, thus incurring substantial costs.

To create a more productive working relationship with auditors, IT must be able to clearly describe its preventive processes and the detective controls that prove they work as expected.

A main premise of this book is that controls serve an important purpose to ensure that our processes achieve the desired business objectives and that controls are not in place simply to generate positive audit findings or to comply with regulations. After all, a customer would not feel safe if the restaurant only complied with health codes just to keep the inspectors at bay. They would be happier if the restaurant handled food with care to keep customers healthy, happy and improve their overall dining experience.

IT is no different. An organization that uses effective controls to improve their processes typically has far better availability, lower amounts of unplanned work, better security, and incidentally, smoother audits .

By Kevin Behr, Gene Kim and George Spafford

Fundamentals of Preparing for an Audit
If IT controls do not exist, last-minute preparation for an audit will rarely yield good results. Ideally, an organization will have a process- and controls-oriented culture, which is something that no amount of last-minute generation of paperwork will create. For example, for change controls, you will need documentation from change management meetings to help track what is going on and capture knowledge. It is not simply there to pass audits. Other documented processes should include:

1. Fully document the build process from feature request, to build definition, to build acceptance.
2. Fully document the acceptance and handoff process between the pre-production and production teams.
3. Prepare reports on production rollouts of software, change success rate, time required to complete the rollout, and the integration with the change management processes.
4. Document the process of how software is evaluated, accepted into, and purged out of the DSL.
5. Generate a report of the percentage of deployed systems that match the golden builds.
6. Document the process used to track threats and generate projects in the release management processes for patch updates and software rollouts.
7. Document the policies for the clean-room build process.
8. Be able to show how systems are certified. In other words, "How do I know that what I built is what I intended to build?"
9. Be able to provide a list of all exceptions to the golden builds, and justifications for them. An abundance of unexplained exceptions is evidence of an ineffective process.

According to professional standards from the Institute of Internal Auditors, the internal audit function reports directly to the audit committee of the board of directors. Organizationally, internal audit staff may be placed under the CEO or CFO, but is independent of business management.

Typically, internal audit reports are addressed to management and copied to the audit committee. External auditors are third parties retained by management to give an unbiased opinion of the assertions made. External auditors report to the audit board and board of directors. Whereas internal audit reports to the audit board, external auditors are accountable to shareholders, regulators and potential investors.

External auditors evaluate the effectiveness of the controls that are attested to being in place by the company's senior management. If a weakness is found, it is included in an audit findings report. If a material weakness is found, auditors may be required to disclose their findings to the appropriate regulatory body, such as the Public Company Accounting Oversight Board (PCAOB).

10 Tips to Survive the Audit
Auditors do not like to see organizations that simply have controls in place to pass audits. They much prefer to see organizations who embrace controls to improve the business. To this end, they look for documentation of processes and proof that controls are followed. The first three phases of Visible Ops covers these points:

1. Ask the auditors what they are looking for before an audit. Ask them for their audit objectives, if any pre-audit checklists or data will be required beforehand, what meetings are required, specific areas they will inspect, and so on.
2. Over-prepare. It is better to be prepared for an audit and not need material than to have an audit and wish you had material.
3. Make sure to list your perceived risks. Back it up with a list of risks sorted in descending order with the highest risks at the top, along with the controls you created to mitigate them.
4. Document your preventive controls, and have detective controls in place to show they work.
   a. Document the change management process.
   b. Use meeting minutes to show that meetings are being attended and used to manage change.
   c. For each authorized change, document the configuration changes from the detective controls to show that the changes made were within the scope of the work order.
   d. File the data collected about change requests and make it readily accessible.
5. Keep a current and accurate asset inventory of hardware and software.
6. Document all internal audit procedures and the proof that they are being followed.
7. Document all outages and unscheduled downtime in the systems, along with corrective actions taken.
8. Keep current documentation of all exceptions to policies.
9. List any security incidents along with corrective actions taken.
10. Be able to produce previous audit findings, analysis of the findings and progress made against findings that warranted corrective action.

Following best practices for audit preparedness can help lead to mutual respect between the IT teams and the internal and external IT audit teams they work with. By embracing audits, IT teams can come to view auditors as additional resources to ensure that appropriate controls are in place and effectivean additional failsafe to be prepared for anything.