IT Auditing 2.0: Changing Your Definition of an Audit

Everyone in IT knows the word – Audit. But, after years in this industry, and speaking with countless IT folks, it is apparent that not everyone has the same definition. For some, it means checking the current state of security. For others, it’s a review of a maintained log of changes over a period of time. And still for others, it’s a review of the defined standards (that is, without actually looking at whether those standards are properly implemented).

So, is there a “correct” definition of an audit?

I like to use the most everyday use of the term audit to find some common ground that we all can agree on – an IRS audit. We all either know first hand or get what the IRS is doing – they are examining your submitted tax records and validating them. In essence, the IRS is providing an external review of that which you believe to be true. And they don’t just take your word on it; they cross-reference all the forms from external sources – like your W-2, 1099s, a year-end mortgage interest statement, etc. – all to corroborate your “story”.

IT audits should be looked at the same way. You need an external review of what you believe to be the state of changes and security. Otherwise, you’re just fooling yourself into believing that your network is, and has been, secure and without incident.

So, what constitutes an external review? Does it mean that you absolutely must hire an independent auditor? Or some security expert with their set of best practices? Not necessarily. In fact, the external part is in reference to that which you believe to be true. It means, if you rely on, say, a change log of some kind (which represents the list of what you believe has happened on your network), you need to have another means to corroborate that every change was logged.

And once that’s verified, then someone needs to go through it in detail to validate the ever-changing state of your security and environment. In fact, if every change to configurations, security, and policies is documented, finding just about any answer an auditor can conceive of should be a somewhat easy task (because the answers are there).

Without changing your definition, you’ll fall into the same patterns of reassuring yourself everything’s been documented, and have little need to ensure your environment is properly configured and secure.

In this webinar, I’ll discuss more on how to properly define auditing, what kinds of detail auditors require so you can successfully pass an audit, and what kind of expectation you should have when it comes to proper time frame to address audits – all when using a 2.0 definition of an IT Audit.