You come into work and see the dreaded email: Internal Audit Is Focusing On IT.
As you dig into the email, you find out that the auditors are focusing on access governance. If you have a few weeks or months before the auditors arrive, there is plenty of time to get ready. Use our guide to conduct a “practice audit” of your department. If you are aware of access problems and share what you are doing to work on them, most auditors will take account of that fact.
How Internal Audit Adds Value to Your Company: A Quick Reminder
In our experience, some IT managers and professionals do not understand how internal audit adds value. We have even heard people speak negatively or fearfully about the audit. If that is your attitude, you are unlikely to have a productive relationship with your auditors. That means long drawn-out audits and less time to focus on your core goals.
Internal audit adds value to your company in the following ways:
- Reduces security risk. Instead of waiting for you to get hacked, internal auditors can point out where you are failing to take proactive steps to improve. Think of internal audit as a “yellow light” that alerts management to problems early on before losses occur.
- Increase Consistency. In a large company, each manager has their style. However, there are still some fundamentals where you have to align for success. Auditors play a role in checking for consistent management oversight in the organization. After all, your security practices are only as strong as the weakest link — one inattentive manager puts the whole organization at risk.
- Demonstrate Your Professionalism. How do you show that your department is well run from a risk perspective? The answer: obtain clean audit reports. We have seen banks where executives brag about their “clean audit” track record to show how well they are managing risk.
What Internal Auditors Want to Know About Access Governance
Note that internal auditors set their priorities and plan year to year. They may not focus on access governance right now, but it is smart to get ready for the future. Here are some areas and documents internal auditors may ask about in their next review.
1) Your access governance policy and procedure documents
Auditors like to start with the policy or framework document that describes your approach to access governance. Don’t panic if you do not have a specific access governance document. If access governance matters are covered in a different policy document, auditors will accept that approach. Auditors will also want to see evidence that the policy is up to date and managers have communicated it to staff.
2) Show evidence of management oversight for access governance
Your internal auditors want to see how managers keep an eye on access governance. It is not enough to say “I manage access — trust me.” Auditors want to look at reports, documents, and records that prove your oversight. That is why the best access governance solutions include audit reports and audit logs.
3) Document that managers are removing access on a timely basis
If two employees left a department last year, did their access rights change? If not, that is a significant risk failing. For example, if an employee resigned from the company and went to work for a competitor, leaving their access privileges in place is unacceptable! To avoid unpleasant questions, you will need an access governance solution that makes it easy to turn off access when employees leave.
Tip: Add “remove access” to your employee offboarding checklist to make sure this step is never missed.
4) Demonstrate that you take a risk-based approach to access governance
Some access privileges are more potent than others. From an auditor’s perspective, that means a higher possibility for fraud and misuse. Consider organizing your access rights into several levels:
- Low Risk. This is the lowest level of access that all employees possess. Significant changes are likely to require approval from management.
- Medium Risk. This access level includes some authority to make changes, such as approving spending up to a specified dollar amount. This access level also includes governance over lower access levels.
- High Risk. This access level tends to be limited to executives and a small number of administrators, and carries significant powers. Applying additional reviews and oversight at this access level makes sense.
5) How is access governance integrated with other cybersecurity practices?
Robust access controls can only do so much on their own. For example, if the organization has no password management policy, users can get away with lazy passwords like “QWERTY” or “1234567.” Auditors may initially start their review focused on access matters. However, if they detect other problems in security, they may dig deeper.
Resource: If you find that your password governance is weak, it is time to take action to improve. Find out how to develop your password management business case to get started.
6) Does your access governance approach align with industry best practices?
You may have detailed policies, procedures, and systems in place, but what if they have not been updated since 2001? That is a problem! To address the risk posed by out of date practices, auditors will compare your company’s approach with industry best practices. If your company accepts credit card payments, familiarize yourself with the PCI Security Standards Council requirements.
How to Handle Access Governance Audit Findings?
You may be reading this article as an audit is starting or after an audit has finished. In that case, you may end up receiving audit findings on access governance. If that happens to you, keep two points in mind.
First, audit findings are serious, and you will face questions about the findings from your executives. Second, the way you respond to findings is critical. Take the time to thoroughly read the audit report and verify that the facts and examples reported are accurate. Next, arrange a meeting with your team to develop a plan to respond to the findings. Focus on solving the underlying problems and processes (e.g., require managers to complete access reviews on a semi-annual basis) versus attacking symptoms like a single employee’s mistake.
