Nobody wakes up in the morning and looks forward to participating in an audit. That is why you need to find ways to make the whole process less painful for your employees. Streamline the record keeping and user certification aspect of your next IT audit. Saving time on audits is one way to establish your business case for identity management.
1) Know Your IT Audit History
Have you ever wondered what IT auditors do before they come to your department? To save time on your IT audit, take a moment to understand how they work. Internal auditors and IT auditors tend to work from an annual audit plan that directs their overall approach. This will define their priorities. If you’re not sure about the IT Audit’s goals, ask the auditor who worked with your group last year.
Speaking of last year’s audit, that is a key resource for saving time on this year’s audit. If you have any outstanding findings, get to work on solving those areas. If you start an audit with outstanding issues from the last audit, the lack of action will encourage your auditors to take a harsher approach to your department. Specifically, the audit may take longer to complete and you may have additional findings to explain.
2) Improve Your User Certification Process
Auditors like to ask for documentation and procedures. To save time on your next audit, use two principles for user certification: simplicity and consistency. Create a simple one-page checklist that summarizes your approach. For example, you might start the document by stating your user certification frequency (e.g. quarterly). Once you have created the process, add a recurring calendar reminder to check on your user certification.
You can manage user certification manually, but why make life so difficult? The business case for identity management comes down to two benefits. First, save time by automating repetitive tasks. Second, reduce risk by ensuring that identity and access matters are managed consistently.
3) Simplify Your User Certification Records Management
“Show me the documentation…”
You will hear that phrase over and over again when the IT auditors come to visit. They have a job to do, and need documentation to get it done. Rather than fielding constant interruptions, use a system to keep user certification and identity records managed automatically for you.
While every auditor has a different style, the following points are typically checked. Assess the completeness of your records on these topics:
- User type: your system should distinguish between different types of users, such as administrators and business users.
- Approved by? Each user access and identity should be approved by an appropriate person in a management role.
- Review history. As people come and go, identity administration records need to keep pace. Your records should demonstrate when identity records are reviewed and approved even if there is no change required.
- Enhanced review for sensitive systems. Some systems require additional oversight to prevent fraud and other risk events. Ask yourself how you will demonstrate added oversight in those cases (e.g. approval required from more than one person).
Tip: Between audits, ask to meet with an IT auditor to go through their requirements. Once you have that information, you can create a standard report. That will save you time on all of your future audits.
4) Improve Your Working Relationship With The Auditors
Building a business case for identity management may go beyond identity issues. For example, your company’s internal audit group may be working on a modernization project. In that situation you can support the audit group in achieving their goals. For instance, point out that an identity management system would speed up and systematize the company’s internal controls. If you are considering different systems, include the audit department as an internal stakeholder in your process.
Outside of your annual audit activity, developing the relationship with the audit department makes life easier for everyone. If you meet with your auditor on a quarterly basis, even if there are no issues, they will come to understand your projects and priorities. With that understanding, you will both avoid nasty surprises during audit season.
Tip: Auditors are required to maintain independence from the rest of the business. Keep this in mind as you build a relationship with them. Make it clear that you are seeking to understand them, not influence their findings.
5) Add audit and risk as annual goals for all your staff
Did you know that some industries — such as banking and financial — measure each employee on risk management? If you operate in a highly regulated environment like finance or government, adopting this approach may be wise. When employees know that managing risk and audit requirements is part of their annual review, they will take these responsibilities more seriously and raise issues for action instead of ignoring them.
What if your company does not use risk management as an organizational goal? You can still make the business case for identity management and related activities to your employees. Adapt the following script to send a message to your staff at your next annual planning meeting:
As you know, our department is responsible for identity management. It is a critical process to protect the company, our staff and customers. At the same time, we can’t afford to stop everything when audit comes to visit. That’s why we use Avatier to streamline the identity process. I will recognize your efforts to support identity management in your annual reviews. If you have questions about this work, please come and see me.
Sources
Identity and Access Management Program Plan (Harvard University)
Pitfalls of identity access management (CIO)
U.S. Banks With Over $50 Billion in Assets Face New Demands to Shield Themselves From Cyber Hackers
