Featured CLIMBER:
Patrick O’Shea

Employees at A-LIGN take many different paths throughout their journey – that’s why we sat down with Patrick O’Shea, Solutions Advisor to learn how he helps businesses navigate the security and compliance landscape and what makes A-LIGN an innovative and leading partner. Continue reading “Featured CLIMBER:
Patrick O’Shea”

Transforming Your Audit Experience with

Compliance is already challenging for IT professionals due to rapid changes in an evolving threat landscape and increasing regulatory requirements. IT professionals may not necessarily be experts in security and compliance, or overseeing compliance may not be their full-time job. Continue reading “Transforming Your Audit Experience with
A-SCEND 2.0″

Strategic Compliance:
Fact and Fiction

The most profound change that IT leaders need to make in their approach to strategic compliance is to their own mind. There are many self-imposed limiting beliefs that must be overcome. Continue reading “Myth-Busting
Strategic Compliance:
Fact and Fiction”

Establishing a Center of Excellence with A-LIGN

TIBCO Software Inc., a global leader in enterprise data, empowers its customers to connect, unify and confidently predict business outcomes, solving the world’s most complex data-driven challenges. Continue reading “Establishing a Center of Excellence with A-LIGN”

Simplifying Your Audits

In today’s world of industry and governmental regulations I know it seems like there is a revolving door of auditors, assessors and examiners visiting your location. Although we know you love seeing us and can’t wait till the next team of auditors show up so you can clear your calendar of real work to facilitate another audit, there are ways to minimize the operational impact the audits have on your organization.

Audit Schedule

Audits have various reporting periods and evidence requirements. Audit evidence for a point in time audit, like PCI DSS, can be gathered close to the report date, based on the auditor’s judgment, while a 12 month SSAE 16 engagement requires audit evidence throughout the period. By coordinating the audit schedules with your auditor you can ensure you receive the biggest bang for your evidence gathering buck; meaning, align your audit report and fieldwork dates so that the auditor can use the evidence gathered for multiple engagements. You don’t want to gather audit evidence and then six months later, be asked for the same information because it needs to be from a different point in time.

On-going Communication

I know you just love talking to auditors. You see your audit firm’s name pop up on caller ID and you know your day is going to improve, but there are times it is important to talk to your auditors. I traded emails yesterday with a client who is changing their retention policy on some information. They wanted to make us aware of it and ensure the change would not negatively impact their audit next year. It is so much easier to discuss changes in your environment before the audit period starts rather than try to figure out what to do looking back in time. I have seen the “oh crap” look on my clients’ face when I ask for supporting evidence for a control and they say “we stopped doing that, we didn’t think it was important”. So when do you call your auditor?

An audit focuses on people, processes and technology. If your organization is going to make a change to any of those three areas it may warrant a quick email or call to your audit team. In sharing the information when a change is happening or even before the final decision is made to make the change, the auditor can provide insight on how this may impact your control environment and any potential impacts the change will have on your audit.

Prepare Prepare Prepare

It is no secret what the auditor is going to request for a particular audit. The authors of the various requirements publish the requirements you will be audited against. If you do not want to search for it yourself, contact your auditor and have them do some work to make your life easier. Read and understand the requirements. Communicate the requirements to the individuals responsible for performing the tasks. I can’t count the times I have had an audit finding and the process owner states “if they told me I was supposed to do that for the audit, I would have”. Ask your auditor for a detailed request list and have the information ready when they arrive. The request list should include specific items such as reports, logs and configuration settings that the auditor will review. In addition, the request list should include the dates selected for their sample. As an example, the visitor log for the months of February and August can be requested and gathered weeks in advance instead of scrambling to gather something so simple while the auditor is on-site.

By implementing these simple techniques you can get the auditors in, out and on their way so you can get back to your real job.