Passing the audit, or solving the problem

While responding to requirements identified during an IT audit, both internal and external, I have observed many cases where the identified need was to demonstrate that an implementation plan was in place to mitigate several risks. Instinctively one would think that undertaking the implementation was implied in the requirement, but this is often far from the truth.

Upon presenting the plan in detail along with expected results at each stage of the implementation, the management reminded us that the action was specifically to demonstrate that a detailed plan existed. The auditor’s report did not explicitly state that we must implement the plan. Consequently, management chose not to sanction further work.

From the auditor’s point of view, defining an action in the form of ‘tell me how you are going to fix this problem’, is logical as a next step. However, far too often, it results in a focus on closing audit actions rather than resolving the underlying issue that caused the audit action to be defined. As security professionals, we have a duty to decision-makers to challenge the requirements under these conditions, by illustrating the potential consequences of inaction.