AWS Audit Manager: Accelerating the Audit Lifecycle

Earlier this month, Amazon Web Services (AWS) announced a new offering: AWS Audit Manager. This product was built to simplify the risk and compliance process for AWS customers – which is a big deal these days as cybersecurity audits take up more and more time from CISOs and IT Security teams.

In this post, I’m going to cover why AWS Audit Manager is an important development, and how it fits in the broader context of the full lifecycle of a cybersecurity audit. AWS Audit Manager helps AWS users manage evidence collection and reviews of their AWS infrastructure when it comes time for an audit, incorporating a number of pre-built frameworks and mappings to common standards. In essence, it pulls and organizes information from your environment to get you as audit-ready as possible.

The trend towards audit automation

It’s not really a surprise that AWS felt this was an important product to create. In fact, it’s just the latest in a trend of technology solutions designed to make the audit process easier. These solutions are typically called audit automation solutions, readiness software, or compliance management solutions.

Auditing isn’t going away – yet never will it be fully automated either. We are seeing explosive growth in SOC 2 audits as a means of demonstrating sound cybersecurity principles and communicating trust to future customers and business partners. CMMC is a big initiative on the horizon for anyone working with the Department of Defense in 2021 and beyond. GDPR and CCPA have redefined how organizations approach privacy, applying management systems to govern the risks associated with personal data. And chances are there will be more of all of this going forward.

All of this has created a huge burden on so many IT organizations. Not only do they have to deal with understanding what’s required from all the different potential regulations and directives they may be subject to, but then they have to laboriously gather evidence and work with a human auditor to have it validated.

That’s a big distraction from their normal day jobs. As a result, it’s safe to expect more and more tools designed to make the process easier. AWS Audit Manager is the most recent one.

The five stages of the audit lifecycle

Any audit follows a typical process – we call it the Audit Lifecycle

Lifecycle-Audit_Support

If you want your audit to go smoothly, you’ll follow these five steps:

  • Readiness: Before you do your audit, you’ll want to know that the appropriate systems and processes are all in place and functioning as expected – a gap assessment or readiness assessment can help here.
  • Evidence Collection: Once your audit kicks off, you’ll begin gathering evidence that demonstrates that your controls are implemented in alignment with the intent of the criteria being evaluated. This evidence is based on an Information Request List (IRL) that the auditor is responsible for creating, and typically includes policies/procedures, log files, reports, screenshots, and other documentation. NOTE: IRLs are highly subject to what an auditor needs to see, which is why your auditor should be involved throughout the entire audit lifecycle.
  • Fieldwork: During this phase, the auditor assesses all the evidence that’s been collected to make sure it is acceptable. Any gaps are identified, and remediation requirements are communicated, if applicable.
  • Reporting: After everything is validated, the auditor produces your audit report. This report primarily consists of a high-level narrative description of your environment and a thorough, expert review of all the evidence submitted.
  • Attestation, Certification & Accreditation: With an assessment successfully completed and submitted by your auditor, you’ll earn your official attestation, certification, or accreditation from the appropriate industry organization or governing body.

The stages of Readiness and Evidence Collection represent the biggest burden for companies. They encompass all the prep work and documentation that you have to do in order to be audited. It’s not too different from gathering all your financial information for the year before filing taxes – just much more involved.

What audit automation can – and cannot – do

It’s no wonder that the two most burdensome stages (Readiness and Evidence Collection) are exactly where tools like AWS Audit Manager help most. By instrumenting your live systems and mapping configurations and operational elements to specific compliance frameworks, they can present a picture of where your readiness gaps are, and they can make evidence collection available at the click of a button.

Readiness software makes some of the overall process easy – but it can’t automate everything. For AWS, it’s readiness and evidence collection within your AWS infrastructure, with a little support for manual evidence collection from outside AWS. That’s where it stops.

Unfortunately, the industry is not yet at a point where your full audit can be automated. You still have to assess readiness and gather evidence for systems that aren’t built on AWS. You still have to evaluate compliance where systems integrate and interconnect. And you still have to communicate with human auditors who ultimately sign off on your systems, processes, and procedures.

AWS Audit Manager, and tools like it, can drastically reduce the effort needed to prepare for an audit and to get all the required documentation together. However, a huge part of the process is coordinating across all those different systems and bringing the audit across the finish line, all the way through the full audit lifecycle.

No one gets your audit over the finish line like A-LIGN

The audit & compliance process is a joint operation involving both technology and humans. If you want to get through it as smoothly as possible, with minimal headache, you need to embrace both sides of that equation. Here at A-LIGN, we leverage technology in a big way as we lead you through the audit process.

First, we help evaluate what you need to do to prepare. Not just for a single system like AWS, but across your entire operation. Whether through a more formal gap assessment or readiness assessment project, or with our client-first approach to our engagements, we want to make sure you are as prepared as possible for the actual audit.

When it comes to collecting evidence, our team will make use of information from whatever systems you happen to have in place – like AWS Audit Manager – to streamline the collection of evidence as much as possible. We pull all that evidence into our own compliance management platform, A-SCEND, which we provide to every client undergoing an assessment with our firm, at no cost. This platform is a big focus for us as a company because it is helping thousands of clients realize huge time savings and efficiencies – especially as they move between different audits or through different quarterly/annual cycles.

Finally, we streamline the fieldwork, reporting, and final certification / accreditation phases. These are areas that AWS Audit Manager – or really any kind of audit automation or readiness software – simply can’t be involved in. However, with over 10 years in the cybersecurity audit market, we know how to do this better than anyone else out there, and all that experience will get you through the process as painlessly as possible.

A-LIGN combines the A-SCEND SaaS platform with amazing people

Technology is coming hard and fast to the audit process, and AWS Audit Manager is going to be very valuable to many companies in the AWS ecosystem. But ultimately, audits are a human endeavor, and here at A-LIGN we’ve combined great technology with people who can get the most out of it.

Our A-SCEND compliance management platform, delivered free to all A-LIGN clients as a SaaS offering, works alongside products like AWS Audit Manager to centralize evidence collection, deliver a searchable asset repository, and facilitate collaboration and information sharing between you and your partner team at A-LIGN. With the assessment crosswalk capability built in, you can easily see how evidence already submitted applies to future audits and other frameworks, so you don’t have to recreate the wheel every time that cycle comes around.

Then there’s our people, who bring a white-glove approach to the work we do with you. From our 24-hour response commitment (you won’t ever be left waiting to hear from us), to our dedicated customer success team that helps to make sure your audits are successful, to our on-staff auditors who stick with clients year after year – we make sure your experience working with us is second to none. And that’s exactly why we have a 96% customer satisfaction rating.

Want to learn more about how we work with AWS Audit Manager to accelerate your audit? Schedule a consultation today.