Transcript How to survive an audit. Gib – President MDLUG.org Audit tips

How to survive an audit.

Gib – President MDLUG.org
Audit tips. What to document.
1. Clarify goals
2. Review / Understand Policies
3. Write Documents Describing Gaps
4. Create Common Best Practices
1. Clarify Goals

Accounting Analogy – centuries of practices resulted
in firm understanding of procedures and techniques.
Computer auditing only existed for a few decades.

Is this an internal auditor or an external auditor?

Don't let technical people talk to auditor.

Ask for written instructions and questions – ahead of
time. Define rules of engagement.

Try to set a scope.

Ask for an example of another audit.

Look for any prior work for this scope.
2. Review / Understand Policies




Read company policy manual. Don't have one? Then
search on the internet or do research.
Review policy manual with someone you trust.
Discuss any issues in detail. Feel comfortable with
how you respond to issues. Practice responses.
Review policy manual items related to scope of the
audit with peers. Ask how others handle issues. You
may be able to justify common problems.
Document concerns – better to come clean than look
dirty.
3. Write Documents Describing Gaps

Describe issues and concerns or gaps in writting in a
non-technical way. List risk to the business.

Describe any mitigation to the risk. Is risk real/likely?

Describe why the gap exists – cost to repair?

Advise business owners and stakeholders (written).

Write a plan to address gaps. Provide planning dates.

Schedule project to address issue – set priority.

Seek funding for project – justify any delay. BUDGETaccounting has centuries of history to help with
procedures to define effort.
4. Create Common Best Practices





ITIL – Industry standard best practices - ”Information
Technology Infrastructure Library”. Like procedures
accounting for technical computer industry.
Separation of duties; log changes; require approvals,
role definitions, configuration change practices.
Tools: source control, roll to production rule
enforcement. Password management (PAR:
password authentication repository).
Manual log of actions taken if tools don't provide list.
Who changed code, reviewed, approved, migrated.
Verify enforcement of rules. Reverse audit procedure.