Have you seen that movie “Groundhog Day?” You probably have, but on the off chance that you missed it, it’s the movie where Bill Murray’s character (who’s kind of a jerk) wakes up every morning to find that it’s the same day — Groundhog Day — over and over again. He’s forced to relive the same day repeatedly, and as he does so, he slowly learns enough about life to transform into a pretty likable guy.
It’s a great movie, but I’m not actually calling your attention to it to recommend watching it (which I do). Instead, I’m bringing it up because it makes a great metaphor for IT audit. Hear me out before you scoff.
You see, in the movie, Bill Murray’s character wakes up every day and “remembers” what’s about to happen because he’s lived that day time and time again. However, nobody else he encounters does — to everyone else around him, the events that happen during the day are totally new and unexpected. This is almost exactly what’s happening in most firms during an IT audit.
Here’s what I mean: When it comes to gathering the evidence required for an audit — no matter how many times we’ve worked together in the past to gather almost the exact same evidence — it’s still a challenge to find and get access to the required material. As part of the work that I do, I conduct a number of audits of various firms — large firms, small firms and every shape and size in between. I do PCI (payment card industry) audits, HIPAA (Health Insurance Portability and Accountability Act) audits, general controls audit — you name it, I audit it. One thing I’ve noticed is that all organizations — no matter what size or in what vertical market — have very similar challenges locating the information that auditors need.
Same Ol’, Same Ol’
It’s easiest to see what I mean by looking at an example like PCI. As part of the PCI compliance validation process, some firms (like large retailers) are required to have a QSA (qualified security assessor) come in and validate their level of compliance to the PCI Data Security Standard. As part of the process of validating compliance, the QSA requests evidence in the form of firewall rules, log files, system configuration documentation and so on. The published audit procedures for PCI are pretty specific, so the QSA will ask for (more or less) the same documentation and evidence each and every time they come in (usually annually). If a firm was assessed in the past, some QSA — maybe even the same one — has already spent time working with that firm to gather the required documentation.
But most of the time, the work required to gather evidence is the same. Firewall logs? Ask around to find the right person to send the request to, request the documents, explain to them what we’re doing and why, work with them to establish an appropriate and representative sample to include, and so on. System logs? Find out who owns that, initiate the request, find out when their schedule allows them to retrieve the information for you, work with them regarding what type of log you’re looking for, etc.
It’s never easy, and depending on the size of the firm, each evidence request can represent days if not weeks of effort — weeks of effort, by the way, that come right out of the pocket of the firm being assessed in terms of impact to their resources as well as the overall cost of the assessment.
Moving Too Slow? Help Drive
The frustrating part of this is that, in theory, the cost of doing an audit should go down over time as firms become more and more familiar with the process. But, as we know, theory is often different from practice. In practice, while firms may streamline their internal processes to help lower overall compliance costs, the cost of the assessment tends to stay about the same year over year. If the goal of the organization is to save money (and what firm doesn’t have this goal?), they can help themselves quite a bit by looking at the costs of the audit/assessment with the same cost-cutting eye they look at everything else.
One way that firms can do this is by helping to drive the audit. Keep in mind that you are the one ultimately paying the bill for the work the auditor does — as such, you are well within your rights to keep records of who the auditor talks to and what processes were used to actually get their hands on the right artifacts and documents. Ideally, keeping a record of these things can and will help the process go smoother the next time around.
Most auditors will have a project liaison (“guide”) or other internal personnel that he or she is working with to help schedule meetings, help find evidence and help navigate the internal organization. When it comes to allocating a point person to keep a running record of an audit for streamlining purposes, this internal guide is a good choice. Correspondingly, there is also a benefit to be had from using the same guide for the same type of audit year over year, since they will have a familiarity with the process from prior experience as well as their own written records.
If you prefer not to keep your own record of the events of an audit, keep in mind also that a good auditor or assessor will keep detailed records in their work papers. They’ll keep records of who they talked to, when, what was discussed and how a particular piece of evidence was acquired. However, unless you specifically ask for these records, most auditors won’t usually volunteer to provide it back to the organization. If you ask, however, many auditors will provide these records to you for you to use for planning purposes next time around.
It’s More than Just Record Keeping
Keeping records of past audits can help streamline things in terms of finding the right people and documenting how to get access to evidence, but it’s only the first step. Even if you do have a record of who is the “right person,” keep in mind that organizations change and people change jobs. The person who supplied you with the evidence last year might not be the person who supplies it to you this year. Additionally, the systems that you collected evidence from last year might have been replaced with new systems, responsibility for them might have shifted and so on. The absolute worst time to find out about these things is once the audit already started — at that point, the auditor needs to go through the same process they would if they didn’t have any data in the first place.
If you want to ratchet your responsiveness to the next level and further streamline, consider adding a defined process to the mix in addition to just recording who a particular piece of evidence came from. For example, if you establish an audit response plan that incorporates instructions on how to get access to the various pieces of technical evidence that you will need to supply (for example, a procedure for how to get access to firewall logs), you can insure against changes in personnel or organization stopping you cold during an actual audit.
Ideally, the ultimate goal of any organization is to get through a required audit as painlessly as possible. However, unless you take an active role in using your experience during the audit to help learn from and prepare for next time, each audit will be about as painful as the ones before it. By using a combination of record keeping and process definition, you can help streamline the process and take measure to lower the overall cost of compliance.
Ed Moyle is currently a manager withCTG’s information security solutions practice, providing strategy, consulting and solutions to clients worldwide, as well as a founding partner ofSecurity Curve. His extensive background in computer security includes experience in forensics, application penetration testing, information security audit and secure solutions development.