How to Make Your IT Audit a Positive Experience
By Chris Manning, Director of Information Systems Consulting, CISA
RLR Management Consulting, Inc.
If the thought of preparing for your financial institution’s IT Audit makes you want to run the other way, relax…these tips will save you time, stress and set the stage for a positive result.
Collection of Documents
Certain documents will be requested in advance of your onsite review and filling this request is the most time-consuming part of the audit. To save time, maintain an audit folder on your computer throughout the year. Scan and save all documentation you were asked for in your previous IT audits, this way you will already have a good portion of what is needed for your next audit. If possible, update those documents with the latest version as they are changed during the year. Your auditor can provide you with a list of what is needed any time during the year.
Maintain a Tracking Log
A Tracking Log can be a spreadsheet within the Audit folder (mentioned above) with any accompanying documentation of all previous audit recommendations so that you can prove to the next auditor that old recommendations have been addressed and not forgotten.
Allow enough time as requested by your auditor for onsite interviews and inspections. Scheduling time on your calendar may help alleviate the feeling of being pulled in two different directions during the actual audit.
Be Ready for Questions
Follow up questions and discussions will take place as the auditor prepares your report.
A draft report or exit review should be conducted for feedback and discussion before a final audit report version is issued. Be sure to add audit recommendations to the Tracking Log and determine when/how those will be resolved.
Make sure you complete a network penetration and social engineering test by a third party at least annually. (RLR can provide these services) These services can be included in your audit or contracted separately during the year. Also, be sure you can document your compliance to at least the Baseline Level of controls in the FFIEC Cybersecurity Assessment Tool.