IT security audit scope divulgence

Is there a balancing act when it comes to divulging the full scope of an IT security Audit to the IT team you will be auditing? For example, the IT team will say we are willing to work with the auditors, can they give us some idea on the areas they will be testing, yet if the IT auditors give the IT team to much information, they could say ‘ah we wont be available for a month’, and then use the audit checklist/program scope to immediately patch up any weaknesses before the auditors come in, thus it seems a perfect setup but in reality it was a spur of the moment patch up to look good. I can see the need to pre-warn them of the audit scope, but to much, does it just completely ruin the overall purpose of the audit as it will be such a false result?
LVL 4
pma111Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MikeKaneCommented:
I've been through this, and it has always been a 'grey' area.       While it is very common to alert a department about an upcoming audit, and even to give them an idea of what will be covered (in very general terms), I have found that the level of detail provided beforehand is really just a corporate culture 'thing'.  

I have been with several different financial institutions and have gone through many audits.     I find that when a 3rd party agency (i.e. FCC) announces an audit, they are very by the book.   And it is very very easy, with just a little research, to discover the exact questions you will be asked.     Its pretty standard stuff.   Its even better when internal Audit works as the liaison between the dept and the external auditors.

Internal audits have usually been the same way.   Especially in a culture where the auditors work with departments instead of the 'A-ha I gotcha' style of auditing.  

I look at it this way.   If everyone in the team is a professional, then they want a tight ship that looks good when evaluated.  As a manager and former AVP, I never had an issue with internal audit providing a blueprint for what is expected.   I've always considered it 'practice' or a 'trial run' before the external auditors looked us over.    If internal audit works with IT to fill any holes before the feds find them, it was a win for both departments as far as I was concerned.       Just so long as the fix was a real fix, and not 'smoke and mirrors' .  
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pma111Author Commented:
How do you mean a cultural issue may I ask? Is it acceptable that if the auditors say we will be focusing in this area I need this this and this, that if the it team takes 8 weeks to get this (knowing full well they'll use that 8 weeks to get everything up to scratch) can the auditors say that's not the rules of the game? As surely its a flawed process and looses the spot check element?
0
MikeKaneCommented:
Auditors would never ask for anything that takes 8 weeks to produce.       The auditors will wait a reasonable amount of time of course, but the whole point of the audit is to prove that the procedures in place meet or exceed the policies.    A typical security audit may ask for a lockout report of user ID's.    You may be able to whip it out in a few mouse clicks, or you may need an hour to get to it then run a query manually.    Either way, you have produced the report.   If you can't generate this in say 2 days, then that is a filed item that needs remediation.    This would go back to IT as an item that needs attention and follow up.    The follow up audit would revisit the failed items and look for an acceptable process.    

0
pma111Author Commented:
Cheers Mike
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.