These common mistakes can be the difference between failing your next IT Audit, or making it a beneficial exercise.
- Not knowing your assets. Identifying your assets ahead of time and having an updated inventory to provide your auditor will save you both headaches and having to revisit and revise reporting.
- Neglecting to remediate from a previous audit. Not following through with remediating previous audit failures is sure to get the new audit off to a bad start. If you feel you implemented a compensating control or don’t agree with the finding, be proactive in discussing that with your auditor.
- Don’t prepare your staff for the audit. The auditor will likely need to interview multiple stakeholders, not just the IT team. Confirm ahead of time who the auditor will want to speak with and let your staff know what to expect so they can be prepared with the information. Scheduling time with each staff member during the audit will also facilitate the process.
- Policies and procedures that don’t exist or don’t match up. Make sure your documentation is updated and mirrors what you actually have in place for technical controls and processes. A disconnect between the documentation and reality is a red flag for an auditor.
- Treat the auditor like an enemy. We get it, no one gets excited to be audited. However, an audit can be a beneficial experience if you approach it with the a positive attitude. Auditors can provide valuable insights and recommendations for improving your controls, and catch vulnerabilities that once mitigated will decrease your organizations cyber risk.