Home �   ITIL�  Index

How To Survive, And Thrive, In An Audit

Apr 25, 2005

ITSM Watch Staff

By Kevin Behr, Gene Kim and George Spafford

Fundamentals of Preparing for an Audit
If IT controls do not exist, last-minute preparation for an audit will rarely yield good results. Ideally, an organization will have a process- and controls-oriented culture, which is something that no amount of last-minute generation of paperwork will create. For example, for change controls, you will need documentation from change management meetings to help track what is going on and capture knowledge. It is not simply there to pass audits. Other documented processes should include:

  1. Fully document the build process from feature request, to build definition, to build acceptance.
  2. Fully document the acceptance and handoff process between the pre-production and production teams.
  3. Prepare reports on production rollouts of software, change success rate, time required to complete the rollout, and the integration with the change management processes.
  4. Document the process of how software is evaluated, accepted into, and purged out of the DSL.
  5. Generate a report of the percentage of deployed systems that match the golden builds.
  6. Document the process used to track threats and generate projects in the release management processes for patch updates and software rollouts.
  7. Document the policies for the clean-room build process.
  8. Be able to show how systems are certified. In other words, "How do I know that what I built is what I intended to build?"
  9. Be able to provide a list of all exceptions to the golden builds, and justifications for them. An abundance of unexplained exceptions is evidence of an ineffective process.
Auditors: Who are They and Who are They Working For?
It's likely that both internal and external auditors will be involved at various times in an organization's lifecycle. Neither one is considered part of the management structure. In other words, management makes decisions, manages risks and runs the business. Audit ensures that risks are managed and management statements are reliable.

According to professional standards from the Institute of Internal Auditors, the internal audit function reports directly to the audit committee of the board of directors. Organizationally, internal audit staff may be placed under the CEO or CFO, but is independent of business management.

Typically, internal audit reports are addressed to management and copied to the audit committee. External auditors are third parties retained by management to give an unbiased opinion of the assertions made. External auditors report to the audit board and board of directors. Whereas internal audit reports to the audit board, external auditors are accountable to shareholders, regulators and potential investors.

External auditors evaluate the effectiveness of the controls that are attested to being in place by the company's senior management. If a weakness is found, it is included in an audit findings report. If a material weakness is found, auditors may be required to disclose their findings to the appropriate regulatory body, such as the Public Company Accounting Oversight Board (PCAOB).

10 Tips to Survive the Audit
Auditors do not like to see organizations that simply have controls in place to pass audits. They much prefer to see organizations who embrace controls to improve the business. To this end, they look for documentation of processes and proof that controls are followed. The first three phases of Visible Ops covers these points:

  1. Ask the auditors what they are looking for before an audit. Ask them for their audit objectives, if any pre-audit checklists or data will be required beforehand, what meetings are required, specific areas they will inspect, and so on.
  2. Over-prepare. It is better to be prepared for an audit and not need material than to have an audit and wish you had material.
  3. Make sure to list your perceived risks. Back it up with a list of risks sorted in descending order with the highest risks at the top, along with the controls you created to mitigate them.
  4. Document your preventive controls, and have detective controls in place to show they work.
      a. Document the change management process.
      b. Use meeting minutes to show that meetings are being attended and used to manage change.
      c. For each authorized change, document the configuration changes from the detective controls to show that the changes made were within the scope of the work order.
      d. File the data collected about change requests and make it readily accessible.
  5. Keep a current and accurate asset inventory of hardware and software.
  6. Document all internal audit procedures and the proof that they are being followed.
  7. Document all outages and unscheduled downtime in the systems, along with corrective actions taken.
  8. Keep current documentation of all exceptions to policies.
  9. List any security incidents along with corrective actions taken.
  10. Be able to produce previous audit findings, analysis of the findings and progress made against findings that warranted corrective action.
Clearly, auditors are concerned about the health of the IT systems hosting applications that the organization relies on. They focus on poor service levels and unusually high velocity of change as "red flags" indicating inadequate controls. The controls that give you good service levels are exactly the same controls that auditors look at to mitigate risks.

Following best practices for audit preparedness can help lead to mutual respect between the IT teams and the internal and external IT audit teams they work with. By embracing audits, IT teams can come to view auditors as additional resources to ensure that appropriate controls are in place and effectivean additional failsafe to be prepared for anything.

Excerpted from "The Visible Ops Handbook, Starting ITIL in 4 Practical Steps" by Kevin Behr, Gene Kim and George Spafford. Copyright 2004 by the IT Process Institute (ITPI); all rights reserved.