IT audits are never fun, but surviving an IT audit is largely just a matter of being able to give the auditors the information that they ask for and being able to prove that you are adhering to established procedure. Of course there are many different types of IT audits and each has its own unique nuances, but there are some general best practices that tend to apply across the board.
Document Your Internal Procedures and Follow Them
One of the keys to surviving an IT audit is to document all of your internal IT procedures. The auditor is going to expect you to be able to show them established procedures for tasks such as creating a backup or adding a user to the Active Directory.
However, being able to deliver a set of documented procedures to the auditor is unlikely to fully satisfy the audit requirements. In addition, you will be expected to prove that the organization adheres to the established procedures. It is this requirement that tends to get a lot of organizations in trouble.
You may be able to satisfy the auditor by demonstrating that the organization has automated workflows in place for various situations, but some tasks are difficult to automate. For such tasks it may be easier to use a tool such as LepideAuditor to create customized reports containing events that prove adherence to established procedures.
Perform Your Own Internal Audits
One of the best things that an organization can do to prepare for an IT audit is to conduct their own internal audit. Self-auditing gives the organization a chance to detect and correct deficiencies before a real audit. Although an internal audit can be a tedious process, performing regular self-audits may help organizations to avoid fines levied by the real auditors. Furthermore, a self-audit can help IT to be better prepared for the real audit by getting the IT staff into the habit of producing documentation on demand.
Whether an organization is performing a self-audit or undergoing a real audit they will need a reporting engine that can produce the data required by the auditor. LepideAuditor can help an organization to build a set of reports that will be needed each time that an audit is performed.
Establish a Procedure for Detecting and Addressing Attempted Security Breaches
Another key to surviving an IT audit is being able to prove that the organization has a system in place for detecting attempted security breaches as well as a policy for dealing with such attempts. Although firewalls and IDS systems can help to alert an organization to an attempted security breach, such devices are practically useless if the attack comes from within.
LepideAuditor Suite is able to track changes to key systems in real time, and can be configured to alert the IT staff is unexpected changes occur.