Nowadays, being in IT means dealing with audits — this is true regardless of whether you do business in a regulated industry (e.g., financial services, healthcare), whether you provide service to clients in those industries, or whether your organization has a non-vertical need for audit (i.e., you’re a publicly traded company responsible for SOX compliance, or a retailer responsible for PCI compliance).
The unfortunate bottom line in today’s world (at least for those of us in IT): Audits are going to happen, they’re probably going to be more painful than we’d like, and they’re usually going to mean sidelining already busy resources to answer questions and produce evidence. Let’s face it — it’s not a boon to our productivity.
However, all of the interference to our organizations — painful as it is when we’re trying to put out fires — is nothing compared to the time our own organizations waste when it comes to the audit process. That’s because in many cases, our own staff winds up making the audit process more time-consuming, more resource-intensive, and longer in duration than it needs to be. They’re not doing it on purpose; it’s just human nature because of the dynamic between the auditor and certain staff members.
By helping staff understand what the role of the audit is — and priming them on what not to do during interviews and evidence collection — a savvy organization can streamline the time spent dealing with the suits and move rapidly back to the million other things that would otherwise be piling up.
Lies, Misdirection and Fortune-Telling
Generally, it’s important to realize off the bat that IT staff members distrust auditors. Why wouldn’t they? Think about it: Having someone come around asking a bunch of questions about security, duties, roles and responsibilities makes people feel like they’re under scrutiny. From their point of view, the implication is that they’re doing something wrong — that their management thinks they’re doing something wrong, and that the auditor is there to find out what that something is. It’s hard to feel like a trusted expert when someone comes around questioning what you do and why you do it.
So, it’s natural for folks not to trust the auditors. However, our staffs’ inherent distrust and defensive posture opens them up to mistakes that adversely effect the efficiency (and accuracy) of the audit process — and trust me, at the end of the day, that’s not good for anybody.
It’s not hard to see how this innate distrust plays out in the context of a typical audit scenario. For example, take a staff member who knows of some operational or security issue that the organization has. This distrust of the audit process causes that person to try to evade providing a direct answer instead of simply stating the issue. The goal — like a stage magician palming a coin — is to answer the questions, all the while keeping the known issue just out of sight.
Staff members who do this won’t always exactly lie — although sometimes in extreme situations they will — but they’ll definitely go through verbal gymnastics to spin the issue or dance around it. For example, if an application doesn’t use a robust password, a direct answer would be to say exactly that. However, a staff member with a high level of distrust might say something like “the system can be configured to use strong passwords.” In actuality, the system can be configured that way — but in the context of the organization’s current deployment, it just isn’t.
Alternatively, one might deliberately misdirect. One might say “we use strong system passwords” (referring instead to some passwords other than the ones under discussion — i.e., the domain password instead of an application password). It’s not a lie, but it’s sure not the truth, either.
Sometimes, a staff member who knows there’s a fix on the way for a known issue in a particular system/process will speak to the “new and improved” version of the system/process — even if it’s months away from production or still in the whiteboard phase. In this situation, the goal is to avoid the issue on the one hand, but to avoid lying on the other — so the staffer skirts the direct answer and speaks to what will be rather than to what is.
Why This Makes the Audit Worse
What’s important to realize is that in these situations, the auditors (if they’re doing their job) will probably get to the root of the issue eventually by comparing notes between staff members. They’ll find it — just later in the process than they would have otherwise.
When they do find it, it puts the credibility and competency of the misleading staff member(s) at issue and causes them to question everything else they were told during the process. At that point, their only option is to keep digging and comparing notes until they get to the real story. They might need to spend more time with other resources double-checking what they were told; they might have to collect additional evidence to validate what was said; they might need to expand sample sizes to include more systems; or they might have to go back and meet again with the same resources to confront them with the divergent information.
The most likely outcome is that the avoidance will translate directly to an extra helping of duplicated or extra work all around. Really, though, that’s the best case scenario. Worst case, the auditors don’t catch on and instead get bad data. This, of course, means that your organization is paying for that bad data, that management misses the opportunity to fix the issues, and that the problematic situation lives to bite you another day. Neither option is desirable.
As IT managers, we have a clear mandate: If we are going to be in the business of responding to audits and auditors (and we are), we need to make sure that our staff is equipped and prepared to meet the tough questions head-on. The best way to do that is with the setting of clear expectations ahead of time — by informing staff members early on in the audit process (think, before the auditor gets on site) and by communicating to them the need to provide clear, accurate and direct answers about the current state of the environment.
By giving them full transparency into what the goal of the audit is and by establishing clear parameters ahead of time about what’s expected, you can soothe any fears — possibly that they’re not trusted experts or that somehow the audit will translate into more work for them, for example.
The truth is that except for very rare circumstances, your auditors want you to do well. Their ideal scenario is to find a few minor observations (because they want to make sure everybody knows they did their job) but to walk away and say positive things about your organization. They not only want you to do well, but also want to stay out of your way.
Trust me, no matter what it might look like, they have no interest in gumming up your operational works by playing 20 Questions with critical resources. However, recognizing that they might find something that’s not entirely where it should be and will have to report it in order to do their job, why not help them get there earlier and get them out of your staffs’ hair sooner rather than later?
Ed Moyle is currently a manager withCTG’s information security solutions practice, providing strategy, consulting and solutions to clients worldwide, as well as a founding partner ofSecurity Curve. His extensive background in computer security includes experience in forensics, application penetration testing, information security audit and secure solutions development.