The Simple Way to Reduce Your IT Security Audit Findings

The Simple Way to Reduce Your IT Security Audit Findings

Few managers look forward to their annual IT security audit. It’s a painful experience for everybody involved. You have that sinking feeling of an outsider looking over your shoulder quietly listing mistakes.

Some auditors see themselves as quasi-police investigators determined to find evidence of wrongdoing! While that approach leads to robust audits, it makes managers and staff feel like they’re on trial. To explain why IT audits feel so painful, take a step back.

What Happens Before the IT Audit Starts

Long before you hear from your IT auditors, they prepare their annual audit plan. Like any department, they have limited resources and have to make difficult decisions about allocating them. For example, they may decide to audit some departments every three years because they’re low risk. Other groups, such as the finance department, are likely to be audited every year without fail because of the sensitivity of their role.

Finally, IT audit specialists are constantly taking professional development courses to learn about threats, such as inactive user accounts, phishing, and password management. After they complete all that preparation, they’ll reach out to managers and executives of other departments to schedule audits.

The Aftermath of IT Audits: More Work for You?

In our experience, most IT audits include findings and observations for management to address. These findings range from simple improvements (e.g., offer employee password training) to complex (e.g., implement a single sign-on software solution). In each case, it costs time and resources to respond to these recommendations. If you ignore audit findings, you’ll likely get a much harsher report in your next audit. If the trend of ignoring audits continues, your career with the company could be in jeopardy.

Before, during, and after the IT audit, managers and staff are both going to be distracted by ad hoc requests from auditors. Thus, customer requests and other concerns might be neglected. Fortunately, you have options to make your annual IT audit easier.

The Different Path to Better IT Audit Results with Less Stress

To simplify your IT audit and minimize the number of findings, you need better processes and tools. Otherwise, you’ll always be scrambling to catch up! It’s far better to spend an hour or two per month on IT security oversight than be embarrassed in front of your VP with a long list of audit findings. How do you make that happen? Use these three techniques to make your next IT audit painless and fast.

1. Revisit Your Relationship with IT Audit

Most managers have an adversarial or transactional relationship with IT audit. They reluctantly deal with IT auditors when they show up and forget about them the second they leave. If your performance objectives include audit and risk, this ad hoc approach isn’t going to cut it. You need to put some effort into forming a relationship. To get started, we recommend setting up two meetings per year when you and your IT auditor discuss hot topics in the industry. If you’re located in the same building, consider taking your auditor out for coffee or lunch as well.

Resource: To brush up on your networking skills, we recommend the book. “Never Eat Alone, Expanded and Updated: And Other Secrets to Success, One Relationship at a Time” by Keith Ferrazzi and Tahl Raz.

2. Seek Out IT Governance Suggestions

If you’re a manager, ask somebody on your team to act as the IT governance lead. You can scale up or down the lead’s role based on your company’s size and complexity. At a minimum, we suggest asking your IT governance lead to build and use a quarterly checklist to review your department. This “mini-audit” will help you detect problems and address them quickly rather than waiting for IT audit findings to emerge.

3. Save Time and Improve Consistency by Implementing an IT Security Chatbot

Relying upon manual processes to complete your IT governance used to be sufficient. When your employees only had a handful of applications, manual review worked. However, that isn’t our world. Many companies have dozens of apps when you factor in SaaS applications and platforms. With so many balls to juggle, it’s easy to get overwhelmed and drop something.

The solution? Implement Apollo, a chatbot built to handle routine IT security tasks such as resetting passwords and setting up user accounts. Using a chatbot to supplement your help desk is an excellent way to provide improved convenience to your staff. You might be wondering how Apollo helps you avoid IT audit findings. It helps by applying the power of consistency. Instead of asking your staff and managers to track every account request, Apollo tracks it automatically. You can also request reports whenever you need them. That means you won’t have to spend time on record keeping and other administrative tasks associated with IT audits.

Written by Nelson Cicchitto