Mikael Grondahl

The IT Audit – Ready or Not – Here I come…

Monday morning 8:15, you start feeling that weird sense of guilt and nervousness, you feel the beads of sweat forming on your forehead, 15 minutes left before the auditor arrives…

You ask yourself – “How long could this possibly take? What are they looking for? What if I can’t provide the answers to all their questions? Should I look for a plane ticket to a faraway country where they don’t have an extradition treaty?”

If you’re one of the lucky ones that still haven’t had the “pleasure” of being put through an IT audit, you might want to continue reading… Because trust me, you will…

With all the new compliance regulations that we need to follow, and not to mention all the pretty hefty fines associated with not being compliant, I mean, for Pete’s sake the maximum fines alone for violations of the GDPR can reach €20 million or 4% of the organization’s global annual turnover from the preceding financial year! You don’t have to be a rocket scientist to realize that it’s becoming more and more important to make sure we cover all bases, since in most cases, there’s not one or two compliance regulations that we need to follow, but several, unless you really want to send your organization to the cleaners… How much was that plane ticket again?

How could you possibly know what information to be able to provide without being an auditor yourself? Do you need to follow GDPR compliance regulations, although your company is based in the US?  How detailed does the information need to be? How do I make sure I’m prepared for an audit?

An auditor’s job is to uncover any flaws in your IT security and processes, so just look at it as an external review of the state of changes and security in your IT systems. You might be under the assumption that your network is, and always has been, as secure as Fort Knox, and you never had any incidents, but unfortunately this is usually a pretty far step from reality.

So, what does an external review really mean? Do you have to consult & pay for an independent auditor?

The short answer is – “No, not if you have the right set of tools”

External reviews should be used in reference to that which you believe to be the state of your compliance and security status, let’s assume that you rely on your change logs to make the assumptions that your system is secure, you still need to have another means to corroborate that every change actually was logged.

If you use a tool like Cygna Auditor, Quest Change Auditor or Beyond Trust Power Broker, you have a system that collects all the necessary information from the native log files, and displays the information in a user friendly manner that easily lets you view all the events that took place within your systems, the “Who”, “What”, “When” and “Where”, information that an auditor would request.

Cygna Auditor is a tool that corroborates that every change was logged, and with this tool there’s no need for an external auditor to go through it in detail to validate the ever-changing state of your security and environment. Since you have all the log reports, finding the answers to questions an auditor can think of asking should be a somewhat easy task.

How about we make sure you don’t have to worry about an audit again?