Home Articles Surviving The IT Audit

Surviving the IT Audit

PDF Print E-mail

Many IT Professionals dread the often painful IT Audit. The fact that an (internal) audit is intended to help provide a first line of defense to steer clear of audit and regulatory violations does not seem to allay these concerns and I have known many IT professionals (some of them my boss at the time) who would do almost anything to cover up issues that were potentially discoverable by IT auditors. This avoidance behavior can increase risk in many ways and should it-self be avoided whenever possible. The first problem is that covering up issues could result in even more serious findings – especially if senior officials discover that you failed to answer questions honestly. The second problem with covering up is that the risk and poblems that could have been identified still remain and could be potentially discoverable by external auditors or even regulatory authorities. This gets very serious when a system outage occurs (that impacts customers) and it is discovered that there was an underlying issue that should have been identified and addressed. Finally, failure to identify and correct key IT deficiencies leaves the organization at continued risk for serious and costly production errors. In this article I will discuss some of the common audits issues often found in IT organizations and how you can address these risks and ultimately get your auditors to put away their pens!

Concerns About Audit


I believe that much of the concern around internal audit is unfounded, and with some suitable preparation you can comply with audit requirements and maybe even improve your productivity and quality. The first step is to understand the scope and purpose of the audit. Some audits are intended to test internal controls and affirm compliance with either corporate policy or perhaps industry regulatory requirements. Auditors often begin their search by assessing internal controls for change management. For configuration and release management, the requirement is for the organization to control and manage changes to production (or controlled test environments). Having a well-defined change management process is specified in almost every configuration management related industry standard and framework. For organizations that must comply with section 404 of the Sarbanes-Oxley act of 2002, the ISACA Cobit framework provides guidance. I have worked in organizations that were contractually required to have processes defined within the guidelines of CMMI Levels 1 and 2. Other companies wanted to demonstrate that they have a quality management system (QMS) in place and thus achieve ISO 9001 certification. The scope of the audit is essential to understand so that you can gather the required information and be fully prepared.

Preparation is Key

No matter how well prepared you are, it always seems like auditors can find something to write up. Sometimes this seems reasonable and at other times, you may feel that they are nit picking. It is usually better when the auditor identifies issues that are relevant and result in findings that help identify risks that we would want to mitigate instead of having an external auditor discover them or even worse a regulatory official such as the Office of the Currency or the Fed. Many government agencies have findings that have been made public by the Government Accountability Office (GAO).

Involving Stakeholders

You also need to consider which stakeholders should participate in the audit. Your company may have an audit liaison who should be included in all discussions with internal audit. There are times when you may need to have a subject matter expert (SME) with you or perhaps even your boss. As the build and release engineer, I am often interviewed to verify that there is a separation of controls when it comes to building, packaging and deploying releases. Equally important is the ability to conduct a configuration audit to verify that the correct physical configuration items (CI) are in place. There is also a functional configuration audit that verifies that the CIs are behaving as they should. This is well defined in the IEEE 828 Configuration Management standard among other industry standards and frameworks. If your team has a well written CM Plan based upon industry standards (e.g. IEEE 828, EIA 649B) then your audit may be completed quickly enough for you to be home in time for dinner and your favorite movie. Given that you proactively established the essential IT controls – it is no surprise that you do not need to fear the dreaded (by others) IT audit.



More articles by this author

Micro Focus Completes Acquisition of Serena Software, Inc. Application Lifecycle Management Acquisition Boosts Micro Focus’s DevOps Capability ROCKVILLE, Md., May 2, 2016 /PRNewswire/ -- Micro Focus (LSE: MCRO.L) today announced the completion of its acquisition of Serena Software, a leading provider of Application Lifecycle Management (ALM) software, under the terms of the definitive agreement disclosed on March 22, 2016. "Our customers continue to look at DevOps as a way to deploy critical applications and services quickly and with greater reliability to meet business demands," said Stephen Murdoch, CEO, Micro Focus. "The Serena acquisition extends our ability to help customers meet these challenges so they can drive greater innovation faster with lower risk." According to industry analyst firm Gartner, "DevOps implementations utilize technology, especially automation tools, that can leverage an increasingly programmable and dynamic infrastructure from a life cycle perspective."1  The experience and expertise which the Serena business brings will enable Micro Focus to help its customers develop and release applications and services faster, with greater speed and accuracy. Serena adds capabilities in software application development; software configuration and change management; and business process management to Micro Focus's portfolio of ALM solutions spanning mainframe environments, distributed systems and cloud. The combination of Micro Focus and Serena allows companies to better: Design and build business applications and services with greater accuracy, reliability and predictability; Continuously deploy existing core business applications on a wider variety of platforms to meet changing business needs; and Improve the speed and efficiency of new business services through automated release and deployment solutions. About Serena Software Serena is among the largest Application Lifecycle Management vendors with more than 2,500 enterprise customers. Serena helps the highly regulated large enterprise move fast without breaking things – increasing velocity of the software development lifecycle while enhancing security, compliance, and performance. More information is available at www.serena.com. About Micro Focus Micro Focus (LSE: MCRO.L) is a global enterprise software company helping customers innovate faster with lower risk. Our software helps customers build, operate and secure IT systems that bring together existing business logic and applications with emerging technologies to meet increasingly complex business demands. For more information, visit: www.microfocus.com. 1I&O Must Combine ITIL and DevOps to Deliver Business Value for Bimodal IT," by George Spafford and Ian Head, March 18, 2016.
Hi, I am excited to invite you to subscribe to our new online publication which provides guidance on Configuration Management Best Practices, Agile Application Lifecycle Management (including videos) and, of course DevOps. Our publication explains hands-on best practices required to implement just enough process to ensure that you can build software and systems that are reliable and secure. Based upon our new book, Agile Application Lifecycle Management - Using DevOps to Drive Process Improvement, the Agile ALM DevOps Journal seeks to promote a dialogue that is really needed in the industry today. We will discuss practical approaches to implementing the Agile ALM using DevOps best practices including continuous integration, delivery and deployment. We will also discuss process improvement strategies that work in large organizations that must comply with federal regulatory guidelines, along with smaller teams that may very well grow as they become successful. We are taking this journey together and our goal is to ensure that you have a voice and can share your experiences along with learning from other colleagues too. Enjoy Leslie Sachs's amazing column: Personality Matters and Bob Aiello's column: Behaviorally Speaking. We will also report on major incidents where organizations clearly need to improve on their ability to develop and deliver software effectively, including the recent Southwest systems glitches which resulted in thousands of flights being cancelled and thousands more being delayed. We will also bring you exciting technical product announcements such as jfrog's new xray, which helps to scan your runtime objects, including docker images, for vulnerabilities. This is an exciting time to be in the technology field. Join the revolution! You can submit your articles for publication to share your own knowledge and experience!  Subscribe to receive your copy and register so that you can comment online Bob Aiello http://www.linkedin.com/in/BobAiello @bobaiello, @agilealmdevops, @cmbestpractices This e-mail address is being protected from spambots. You need JavaScript enabled to view it  
Copyright © 2017 CM Best Practices. All Rights Reserved.
Joomla! is Free Software released under the GNU/GPL License.

Product News

Live Online Training