Surviving the IT Audit

As I’ve mentioned in this space a few times over the last month, I’m currently writing a story on Sarbanes-Oxley compliance. But it is quickly turning into an IT audit story. The CIOs I have talked to so far all have horror stories about auditors giving them conflicting information or no information at all. One CIO described watching helplessly as his internal and external auditors yelled at each other over which auditing standard to use. Another came up with a list of 185 controls, but her auditors wouldn’t tell her which ones were unnecessary, so now she has 185 controls to enforce.

I took an educated guess in the previous posts that compliance has been a manual process. I can confirm that this is mostly true—one source bought a system a year ago but hasn’t had a chance to learn how it works yet, let alone put it into production. Also, the IT audit is taking way too much time. So in the interest of helping out the readers who haven’t had their first IT audit yet here are the five most common control weaknesses:

1. Improper account provisioning with segregation of duties
2. Insufficient controls for change management
3. A general lack of understanding around key system configurations
4. Audit logs not being reviewed (or that review itself not being logged)
5. Abnormal transactions not identified in a timely manner

For the readers who have gone through an audit, does that list sound right? Also, how many controls did you end up documenting (185 sounds high to me)? Are there ones that your auditor told you aren’t really necessary? And as always, if you want to vent, well, that’s what the comment section is for.