Audit and Examination Tips - WST

Excerpt from 10-D Academy's Essential ISO course material

Here are some helpful tips for audit and examination preparation to hopefully make the process go smoother for your institution and staff.

• Prepare documentation as soon as the document request list arrives. Separate the list out and assign collection responsibilities and deadlines to the respective knowledgeable parties.
• If something (e.g. policies) on the request list hasn’t been created, ask us here at 10-D Security if we have a sample. Don’t rush to get it finalized or approved. During an audit, we will review policies and standards awaiting planned board approval and likely give credit where credit is due.
• Try and return documents in the same organized manner they were requested. Although not generally required it does make the process a whole lot smoother.
• Make sure that institution staff are aware of all audit and examination schedules, and expectations. Make the audit and exam schedule is an agenda item for committee and board meetings.
• At least one individual, preferably the ISO, should be the point of contact for the IT security portion of audits and exams.
• Clear calendars and set expectation that managers and key staff may be tapped for interviews. In the same vein, don’t make a rigid to-the-minute schedule. Keep things flexible as it’s likely that some conversations will run longer than others.
• Examiners and auditors will often use basic investigative techniques. Keep in mind that the goal is to collect information, and not catch institution staff in a gotcha moment.
• Audits are meant to be informative as much as they are meant to uncover security issues. If there are questions before, during, or after, just ask.
• It’s not personal. Defend your position, as there is always room for reasonably objective conversation. However, there are some things that allow for greater flexibility and some that don’t.
• It’s okay to say, “I don’t know,” or “I don’t have that.” But remember, repeat findings are not great. A documented and objective explanation for all accepted risk and repeat findings, as well as proof of board approval, is necessary.

These helpful tidbits are resultant of audits with past and repeat customers and our own experiences with exams. They also culminate from decades of combined experience of our auditors and engineers. Let 10-D Security know if you have any questions. We hope they help you in your future endeavors!

Compiled by: Mike Smith, AWS - CCP