Many companies find IT audits about as pleasant as a root canal treatment. Nobody likes them much. Not surprising, because even a best case scenario means that the IT audit will take up lots of valuable time. A failed IT audit is even worse, and can turn your work environment upside down in a flash. In some cases, a negative IT audit result could be read as an indication of a weak management.
The scope, quality and level of detail in documentation plays an increasingly important role in passing those dreaded audits. If you have an audit of your IT infrastructure, your policies and processes coming up, then a routinely conducted, active information management will guarantee a positive audit result. You just have to be well prepared.
Professional Audit Preparation
The best preparation regarding documentation is an active information management. Things will get tricky if documentation is only created and approved just ahead of the certification audit. You can bet the auditor won’t be impressed if he is presented with individual, standalone documents that nobody in the organisation is actually familiar with.
Documentation for a Constructive External Audit Situation
A key principal that applies most of all to external audits is: “First impressions are everything.” That depends heavily on the type, scope and quality of the documentation presented. Top criteria for this all-important positive first impression in terms of the documentation are:
- Transparent, documentation-based responses to all questions posed to IT
- The auditor is welcome to address members of the IT department directly, and these employees are familiar with the documentation and work in compliance with set rules
- No cover-ups or incorrect information regarding the completeness of the documentation
- The contact persons stated in the audit plan are available and familiar with the documentation
The preparation for an IT audit is an ongoing process and completely integrated in the daily routines, tasks and processes of the IT organisation. Ideally, this will prevent any need for a tremendous last-minute effort ahead of the IT audit.
These preparations include:
- Integration of the entire IT organisation in IT information management, which should ideally include managers. Familiarise your organisation with the documentation and encourage all levels to contribute.
- Continuous documentation improvement: Ensure regular, continuous adjustments and improvements of the documentation. This will lower overheads and save having to create new documentation at an inopportune moment.
- Regular documentation assessments and comparisons with the actual infrastructure and processes is much more helpful than occasional complete reviews (internal audits) of the entire body of documentation.
#1 How Well do you Really Know Your IT?
You should know everything there is to know about your IT. Auditors tend to dig deep and will almost always discover hidden inconsistencies.
Good online documentation will help answer virtually all questions. Nothing is more impressive during an audit than the ability to provide requested information at the drop of a hat.
#2 Audits of Your Service Providers are a Critical Issue
Make no mistake: the services your suppliers provide are audit-relevant. Do they know your policies and do they comply with them? How do you verify that compliance? What documentation about their services do you have at hand? In what way are suppliers included in your information management?
#3 Demonstrate That you Have Standardised IT Processes in Place and That you Have Established Relevant Work Instructions
Auditors love automation and are more likely to have a much closer look at manual processes. There are, however, a number of processes for which automation would not be an economically viable option. Demonstrate that you take your policies seriously and ensure a standardised, policy-compliant work method in your teams, based on clear work instructions for critical areas.
#4 Exception Handling
Your IT is highly standardised and automated. There will still be some applications and systems, for which exceptions apply. Your system may require an obsolete software release or an insufficient patch level to function properly.
Demonstrate how you handle these exceptions and document in detail, why this individual case must stand as is and what additional measures you have implemented because of that.
#5 Be Quick on Your Feet if the Documentation is Lacking
You must be able to respond quickly if you fail the audit due to gaps in your documentation. You must be able to demonstrate that you have the ability and the competence within your organisation to create high-quality solutions fast.
#6 View an IT Audit as What it Actually is: Professional Input to Help Along Your IT and Your IT Documentation.
Look at it positively: An auditor is like a dentist – who can be really very helpful over time. Think of the auditor as another stakeholder and include him at an early stage. The basic principle: Prevention is better than drilling.
Auditors are generally very experienced and are familiar with standards and best practices. That can be very useful – especially with regards to processes and security issues.
#7 Your Teams Know Their Stuff and are Well Prepared to Answer Questions
The highest level of preparedness for your teams stems from a well functioning, established information management. Then your employees will be completely familiar with your IT processes and will be continuously working on the optimisation of procedures and the documentation. That is when the audit will be like a visit to the dentist should be: just a routine check-up with no treatment needed.
#8 Conduct Your Information Management Properly, Without Single Purpose Documents
Creating documentation specifically for an audit is not just costly and time-consuming, it may also be a risky strategy. Single purpose documents are quickly recognised for what they are: Documents created under time pressure, with little or no congruence with actual practices that nobody in the organisation is familiar with. Employees will react nervously, when faced with targeted questions from the auditor. You see, the similarities continue: Brushing your teeth just once before you visit the dentist won’t really make any difference.
#9 Using Information Management to Handle Complexities
It is becoming increasingly more complex, and the volume of internal guidelines and processes grows alongside that complexity. IT information management is the way forward in handling these complexities, so that your employees continue to understand and manage them on the one hand, and on the other that the time and effort spent on documentation doesn’t become a problem in itself.
Rule of thumb: The leaner the IT guidelines and processes are in a company, the easier they are to implement and the more successful you will be in your IT audit.
#10 Describing IT Continuity and DR Exactly
Disaster recovery is a central issue of IT audits. In the case of financial service providers, various regulatory requirements exist to ensure a recovery of their IT systems. Elaborate on these processes in detail and make sure that these processes are known in the organisation ahead of an audit, so that at the very least quick access to all current versions can be guaranteed.
IT is a complex thing. The integration of cloud services and the rising number of service providers continuously add to the requirements you face in an IT audit. IT information management is the string that will lead you out of the IT audit labyrinth. Or, in keeping with the simile we used above: IT information management is pain prevention.
Plus you save a lot of money and create strategic added value.
10 Tipps wie Sie IT-Audits meistern (PDF)
Dokumentation vermeidet Schmerzen.