IT security audit scope divulgence

Is there a balancing act when it comes to divulging the full scope of an IT security Audit to the IT team you will be auditing? For example, the IT team will say we are willing to work with the auditors, can they give us some idea on the areas they will be testing, yet if the IT auditors give the IT team to much information, they could say ‘ah we wont be available for a month’, and then use the audit checklist/program scope to immediately patch up any weaknesses before the auditors come in, thus it seems a perfect setup but in reality it was a spur of the moment patch up to look good. I can see the need to pre-warn them of the audit scope, but to much, does it just completely ruin the overall purpose of the audit as it will be such a false result?
LVL 3
pma111Asked:
Who is Participating?
 
MikeKaneCommented:
I've been through this, and it has always been a 'grey' area.       While it is very common to alert a department about an upcoming audit, and even to give them an idea of what will be covered (in very general terms), I have found that the level of detail provided beforehand is really just a corporate culture 'thing'.  

I have been with several different financial institutions and have gone through many audits.     I find that when a 3rd party agency (i.e. FCC) announces an audit, they are very by the book.   And it is very very easy, with just a little research, to discover the exact questions you will be asked.     Its pretty standard stuff.   Its even better when internal Audit works as the liaison between the dept and the external auditors.

Internal audits have usually been the same way.   Especially in a culture where the auditors work with departments instead of the 'A-ha I gotcha' style of auditing.  

I look at it this way.   If everyone in the team is a professional, then they want a tight ship that looks good when evaluated.  As a manager and former AVP, I never had an issue with internal audit providing a blueprint for what is expected.   I've always considered it 'practice' or a 'trial run' before the external auditors looked us over.    If internal audit works with IT to fill any holes before the feds find them, it was a win for both departments as far as I was concerned.       Just so long as the fix was a real fix, and not 'smoke and mirrors' .  
0
 
pma111Author Commented:
How do you mean a cultural issue may I ask? Is it acceptable that if the auditors say we will be focusing in this area I need this this and this, that if the it team takes 8 weeks to get this (knowing full well they'll use that 8 weeks to get everything up to scratch) can the auditors say that's not the rules of the game? As surely its a flawed process and looses the spot check element?
0
 
MikeKaneCommented:
Auditors would never ask for anything that takes 8 weeks to produce.       The auditors will wait a reasonable amount of time of course, but the whole point of the audit is to prove that the procedures in place meet or exceed the policies.    A typical security audit may ask for a lockout report of user ID's.    You may be able to whip it out in a few mouse clicks, or you may need an hour to get to it then run a query manually.    Either way, you have produced the report.   If you can't generate this in say 2 days, then that is a filed item that needs remediation.    This would go back to IT as an item that needs attention and follow up.    The follow up audit would revisit the failed items and look for an acceptable process.    

0
 
pma111Author Commented:
Cheers Mike
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.