Surviving the IT Audit
IT managers have many challenges that they must overcome on a daily basis. One of the most anxiety inducing and often frustrating experiences can be surviving the IT audit. Whether you are dealing with your own internal audit department, an outside firm, or regulatory authorities after a major incident, getting through the audit can indeed be quite challenging. Audits are often intended to identify risks that require IT controls to ensure that bad things do not happen. The key is to not only have the right IT controls in place, but also some documentation handy to demonstrate that you are using industry best practices as defined by industry appropriate standards and frameworks. If you invest a little time in preparation, you can not only survive your next audit, but also perhaps even benefit from the support to improve your existing best practices.
There are many different types of audits within the world of IT, and your preparation will be very much impacted by the scope and focus of the audit. Many IT managers don’t realize that you can ask the auditors up front to indicate exactly what they will be looking at during the audit process. I have seen many audits that were focused specifically on demonstrating runtime baselines for the applications and underlying systems code. Dealing with such a specific and focused audit is as easy as showing documentation describing your configuration management best practices, such as labeling or tagging your code and the procedures that you have in place to ensure that the right code is deployed to production.
Traceability is key in these types of audits and I have worked with many large banks and other financial services firms to develop automated procedures to verify and validate that the correct code has been deployed to production, which is known as a physical configuration audit. The functional configuration audit is similar but is more concerned with verifying that the code is doing what is needed to do at a functional level. Traceability is also an important consideration, and this is where workflow automation tools can be very helpful.
In task-based development, we create workitems and associate them to atomic changesets that are checked-in (or committed) to the version control system. This allows you to demonstrate who requested the change along with the steps involved with approving and testing code that has been delivered. This is where integrating a version control system with a workflow automation tool can be very helpful, including automating the creation of your own release. Robust automated procedures to ensure traceability often make auditors put away their pens.
Your compliance department will always have the final say on what practices you need to have in place to demonstrate that you have successfully complied with regulatory requirements that are specific to your industry. The medical pharmaceutical world has to comply with regulations such as HIPAA and CFR 21. Publicly traded firms must demonstrate compliance with Section 404 of the Sarbanes-Oxley Act of 2002. Many firms want to demonstrate that they have a robust quality management system as required by ISO 9000. Whatever the focus of your audit, try to use these efforts to improve your existing practices to enhance your productivity and quality.