Tailor IT Audit Policies to Fit Business

Bad facts make bad laws, politicians say. The same is true in the corporate boardroom. Bad scandals make bad policies, even with the best of intentions at heart.

Scandals about accounting irregularities and data breaches have created an alphabet soup of reports and audits that are regularly conducted on many of our clients. A few times a year, I get an email from a client asking for my help to complete the IT section of an audit being requested by my client’s parent company, investor, insurance, bank, client, etc.

The section starts out with three easy questions:

  1. What does the network look like?
  2. Do you have antivirus protection?
  3. Is there a firewall in place?

Having done this many times, we are able to quickly respond.

However, that is not where the music for this particular dance stops, but instead where the tempo is cranked up, because within a week, we get a follow-up email asking for more information.

I open the follow-up requirements and I see requests for:

  • Minutes from IT Steering Committee meetings. What IT Steering Committee?
  • Current SSAE16 SOC 1 reports. We have no need for these.
  • Current Incident Response Program/Policy. That’s a good question.

Ugh, I think to myself.

I say ugh, because the requirements are usually designed for large organizations or are written for a company that wrote a web-based tool and are housing client information.

The overwhelming majority of my client are B2B, service-aligned companies. These audits are not designed for them.

I say ugh, because the requirements of these documents are not driven by the IT folks.

Fortunately, after explaining this, most clients understand that it doesn’t make sense for us to create an Incident Response Program/Policy for their business.

Some don’t.

If your IT department is not engaging the business side enough, reach out and let’s talk.